How to gradually encrypt the tshark output file along the capture?

Question

In order to secure a packet capture, which method would you use to make all (or close to all) past captured packet utterly unaccessible unless a given password is given.

My habbits are

• to mount an ecrypt partition

  mount -t ecryptfs /srv /srv
  

• to run tshark with a buffer and save files on the encrypted filesystem /media/

  tshark -B 100k -i wlan0 -w /srv/capture-file.pcap
  

The problem with this method is that the file capture-file.pcap is only unaccessible once the ecryptfs system is unmounted.

How can I do a capture with no non-encrypted version of the capture on the system at all?

Answer 1

The de facto standard tool for encrypting data is GnuPG (or the compatible proprietary program PGP.

Generate a key pair on the machine where you'll want to decrypt the data (gpg --gen-key). Export the public key (gpg --export …) and copy it to the machine where you'll be encrypting (of course you can skip this step if the encryption and the decryption will be done on the same machine). Then run

tshark … -w - | gpg -e >capture.pcap.gpg

To decrypt, just run gpg capture.pcap.gpg.

GnuPG can also do password-based encryption, with -c instead of -e. This is less secure for two reasons:

• Because people tend to choose insufficiently strong passwords, and even the best memorable password isn't as strong as a randomly-generated key.
• Because the information necessary to encrypt is also sufficient to decrypt, whereas using an asymmetric key pair makes it possible to encrypt without having the credentials to decrypt.

Answer 2

For encrypted capture

tshark -w - | openssl enc -des3 -out capture.pcap.des3

Reading with

openssl enc -d -des3 -out capture.pcap.des3 | wireshark -i - k