I'm looking for some help in capturing network traffic that I can analyze in Wireshare (or other tools). The tool I'm using is mallory.

If anyone is familiar with mallory, I could use some help. I've got it configured and running correctly, but I don't know how to get the output that I want.

The setup is on my private network. I have a VM (running Ubuntu 12.04 - precise) with two NICs:

• eth0 is on my "real" network
• eth1 is only on my "fake" network, and is using dnsmasq (for DNS and DHCP for other devices on the "fake" network)

Effectively eth0 is the "WAN" on my VM, and eth1 is the "LAN" on my VM.

I've setup mallory and iptables to intercept, decrypt, encrypt and rewrite all traffic coming in on destination port 443 on eth1. On the device I want intercepted, I have imported the ca.cer that mallory generated as a trusted root certificate.

I need to analyze some strange behavior in the HTTPS stream between the client and server, so that's why mallory is setup in between for this MITM.

I would like to take the decrypted HTTPS traffic and dump it to either a logfile or a socket in a format compatible with tcpdump/wireshark (so I can collect it later and analyze it).

Running tcpdump on eth1 is too soon (it's encrypted), and running tcpdump on eth2 is too late (it's been re-encrypted). Is there a way to make mallory "tcpdump" the decrypted traffic (in both directions)?