Decrypting SSL/TLS traffic using Wireshark and private keys
Important: Decrypting the SSL application data may expose sensitive information, such as credit card numbers and passwords. It is recommended that you do not provide private keys to a third party.
Wireshark
The SSL dissector in Wireshark allows you to decrypt application data. This feature is helpful for network troubleshooting or packet and performance analysis.
Prerequisites
You must meet the following prerequisites to use this procedure:
Your Wireshark software is compiled against GnuTLS (SSL decryption support).
The RSA private key file is in PEM format.
Note: You cannot decrypt Diffie-Hellman Ephemeral (DHE) key exchanges. Therefore, traffic using these ciphers will not be decoded.
Procedures
Decrypting SSL/TLS traffic using Wireshark and private keys
Open the Wireshark utility.
Open the capture file containing the encrypted SSL/TLS traffic.
Open the Preferences window by navigation to Edit > Preferences.
Expand Protocols and click TLS. Note: In the older versions of Wireshark (2.x and older) navigate to SSL instead of TLS.
You can redirect SSL debug by specifying a file location in the TLS Debug file text box.
To specify the RSA private key, click Edit and then click + and enter the following information:
IP address: The IP address of the SSL server in IPv4 or IPv6 format
Port: The port number
Protocol: A protocol name for the decrypted network data
Key File: Path to the RSA private key
Password: Specify the password for PCKS#12 keystore
Click OK.
For more information, refer to the Wireshark TLS wiki.
REFERENCES
Last updated
Was this helpful?