Decrypt Secure (TLS / SSL) Browser Traffic with Wireshark

 

The only future of web applications is with SSL and TLS however this is a nightmare for me and many other web application developers. When we moved all our applications to use secure communications always it became difficult to debug the web application and web api. Luckily Wireshark helps us solve this problem. Currently any secure traffic captured by Wireshark looks like this.

 

a picture showing normal packet capture using WireShark

Normal SSL Traffic Capture

 

The previous versions allowed to decrypt the secure traffic that used RSA only if the private key could be provided to Wireshark but it is no longer possible to decrypt traffic with just the private keys. This is where Session Key Logging comes into the picture. The browsers that we care about (Chrome and Firefox) support logging symmetric session key which is then used by Wireshark to decrypt the secure traffic.

 

Enable Session Key Logging

  • This could be done by simply by adding an environment variable. To add an environmental variable in Windows go to Computer Properties. One way to reach there is by Right-Clicking the My PC and select Properties.

 

a picture showing how to open computer properties

My PC Properties

 

  • Then Select Advanced System Setting

 

a picture showing where to click to open Advanced System Settings

Advanced System Settings

 

 

  • Followed by selecting Environment Variables
a picture showing where to click to open Environment variable sin Windows

Environment Variables

 

  • Now add a new User Environment Variable.

 

a picture showing way to add new user environment variable SSLKEYLOGFILE

SSLKEYLOGFILE User Variable

 

    Note – Restart your browser so that the log file is created.

  • Now that we have our environment variable setup. Let go to Wireshark and configure it read these keys to decrypt traffic. To do that go to Edit –> Preferences

 

a showing where to open wireshark preferences from menu

Wireshark preferences menu

 

  • Navigate to Protocols –> SSL. Browse to the path where you specified the log file to be created and select the file.
a picture showing where to specify the session keys log file in wireshark

wireshark ssl keys

 

  • Now we are all set to decrypt the secure traffic in wireshark. Start capturing traffic with Wireshark and select any TLS or SSL packet to decrypt.

 

a picture showing normal ssl packet details captured by wireshark

Normal SSL Traffic Capture

 

  • But when you move to the Decrypted SSL you would be able to see the decrypted traffic.

 

a picture showing decrypted packet in wireshark

Decrypted Packet

 

Hope this helps you with your work with secure web packets.

 

Any questions, comments and feedback is always welcome.

Leave a Reply

Your email address will not be published. Required fields are marked *