Skip to content
/ curldump Public

A Docker image to run the curl command and save the capture file that containing the TLS decryption secret.

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

jptomoya/curldump

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits
.github/workflows
.github/workflows
 
 
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
curldump.sh
curldump.sh
 
 
docker-entrypoint.sh
docker-entrypoint.sh
 
 

Repository files navigation

curldump

A Docker image to run the curl command and save the capture file that containing the TLS decryption secret. This can be useful for immediate analysis of the saved pcapng file in Wireshark.

Usage

docker run -i --rm -v $PWD:/work --cap-add NET_ADMIN ghcr.io/jptomoya/curldump [curl options...] <url>

All arguments are passed to the curl command.

The NET_ADMIN capability is needed for packet capturing. The option -v $PWD:/work creates a bind mount for current directory because the capture file will be saved under /work in the Docker container. Of cource, you can create a bind mount for any directory where you want to save the file.

The result is saved as "curldump_XXXXXX.pcapng" (where XXXXXX is a random string). You can specify pcapng filename by setting the OUTFILE environment variable using -e OUTFILE=<pcapng filename> in the docker run options.

Example

OUTFILE=example.pcapng docker run -i --rm -v $PWD:/work --cap-add NET_ADMIN -e OUTFILE ghcr.io/jptomoya/curldump https://www.example.com/

You can also run the curldump.sh script located in the root of the repository directly from the host as shown below:

OUTFILE=<pcapng file> curldump.sh [curl options...] <url>

Running the script in a Docker container is recommended to obtain a clean result by filtering out unrelated packets. To run the curldump.sh script, following tools must be installed.

  • curl
  • dumpcap (from wireshark-common)
  • editcap (from wireshark-common)
  • ss (from iproute2)

Finally, open the saved pcapng file with Wireshark. The TLS communication will be decrypted automatically.

curldump_2023-04-15.mp4

Install

You can use the following wrapper script. Save the script into a directory in the PATH (e.g. /usr/local/bin/curlcump).

#!/bin/sh
docker run --rm -i -v "$PWD":/work --cap-add NET_ADMIN -e OUTFILE ghcr.io/jptomoya/curldump "$@"

To install curldump into /usr/local/bin, open a teminal and type the following commands:

sudo sh -c 'cat <<EOF > /usr/local/bin/curldump
#!/bin/sh
docker run --rm -i -v "\$PWD":/work --cap-add NET_ADMIN -e OUTFILE ghcr.io/jptomoya/curldump "\$@"
EOF'
sudo chmod +x /usr/local/bin/curldump

Development

Clone the repository:

git clone https://github.com/jptomoya/curldump.git
cd curldump

Then, build the Dockerfile:

docker build -t curldump .

Afterwards, run the built docker container:

docker run -i --rm -v $PWD:/work --cap-add NET_ADMIN curldump https://www.example.com/

About

A Docker image to run the curl command and save the capture file that containing the TLS decryption secret.

Topics

tls curl wireshark decryption sslkeylogfile

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Languages