Hi Julien!
Opening my PCAP, and pasting in this filter:
"(ip.addr==54.192.55.37) || (ip.addr==54.192.12.211) ||
(ip.addr==216.137.59.141)"
(one line, without quotes)
and then:
File > "Export Specified Packets". "Packet Range" is "All Packets", the
"Displayed" is selected already, and saving it as:
dump_151029_1757_g0n_MozCloud.pcap
gets, of all the conversations, just the conversations with the Mozilla
Clouds hosts, as I explained it in:
https://forums.gentoo.org/viewtopic-t-1031758.html#7835156
Then we can concentrate solely on those, without all the plethore of
other hosts interfereing in the analysis, so to speak (only 8 tcp
streams now, 0-7).
And then, as I explain in the:
https://forums.gentoo.org/viewtopic-t-1031758.html#7835158
it's easy to get the tcp.stream eq $i (where $i is 0-7) out.
And then, it's easy to get to the problem, by saving "tcp.stream eq 5",
the 6th tcp stream (not SLL, but plain TCP stream) into a file.
It's:
-rw-r--r-- 1 miro miro 72M 2015-10-30 16:45 dump_151029_1757_g0n_MozCloud.pcap
I really explained it in that topic on Gentoo Forums, but out of respect
for you, I'm repeating some of the explanations, to just show to you
Mozilla devs that I'm talking verifiable facts here (in case some of you
have skimmed too quickly through this issue)...
Once the tcp strem 5 is saved you get:
$ ls -l dump_151029_1757_g0n_MozCloud_s5.dump
-rw-r--r-- 1 miro miro 67764933 2015-10-30 22:41 dump_151029_1757_g0n_MozCloud_s5.dump
$ ls -lh dump_151029_1757_g0n_MozCloud_s5.dump
-rw-r--r-- 1 miro miro 65M 2015-10-30 22:41 dump_151029_1757_g0n_MozCloud_s5.dump
$
That's 65M of data, that ought to not be encrypted, as you say, and I
accept your word that it ought not be encrypted.
But it is, as it appears to me. Or, I must leave that window of
possibility, as I've only discovered the PFS conversations can be
decrypted very recently... And I thank you, Mozilla devs for the
Network Security Services! Or, I must leave that window of possibility,
it's the lack of my knowledge, but it can be decrypted.
In that case, however, the keys or something, has to be around in the
PCAP, else it's an intrusion on my, the user, if that missing engredient
(or what to call it) is hidden from me, or if that missing engredient,
is in Mozilla Cloud databases only, and not available to me, the user,
in whose machine the download happened.
Because, the dump_151029_1757_g0n_MozCloud_s5.dump can be taken the
gzip'd parts out of it, and they qualify as gzip, on the outside, the
Unix's file command says of them (but pls. see the
https://forums.gentoo.org/viewtopic-t-1031758.html#7835158
for detailed analysis how I took those gzip'd files out of the dump with
hexedit)...
But, the gzip'd files from that dump show, just the third one:
$ file dump_151029_1757_g0n_MozCloud_s5_03.gz
dump_151029_1757_g0n_MozCloud_s5_03.gz: gzip compressed data, ASCII,
extra field, encrypted
$
and then they can't be gunzipped:
$ gunzip dump_151029_1757_g0n_MozCloud_s5_03.gz
gzip: dump_151029_1757_g0n_MozCloud_s5_03.gz is encrypted -- not
supported
$
So, where are the ingredients to gunzip that file?
Only in Mozilla databases, or somewhere in the PCAP?
If in the PCAP, where?
And if in Mozilla databases, can you pls. send them to me?
Thank you in advance!