Login/Register
How to view Encrypted Application Data in Wireshark
Asked Answered
Solved sslhttpswireshark
B

2

4

screenshot of wireshark

I have written an Android app to get JSON data via HTTPS and I want to use Wireshark to capture the data.

How can I view the Encrypted Application Data?

Budgie answered 27/8, 2013 at 4:27 Comment(0)
B
3

I spent a loooong time to research it but it doesn't work. I use another tool to do that: Fiddler, it's here, works well.

Budgie answered 30/8, 2013 at 8:38 Comment(1)
Fiddler worked for me! The Wireshark/SSLKEYLOGFILE worked for my browser-based traffic, but not on encrypted application data from other apps. Setting up decryption in Fiddler was more user-friendly, but setting up filtering had a learning curve since I was used to Wireshark/Microsoft Network Monitor.Northern
R
3

Using a Key Log File

Wireshark can decrypt TLS data if you provide a file containing the master secret that's exchanged during a TLS connection.

Define the location of the log file using an environment variable:

export SSLKEYLOGFILE=~/.ssl-key.log

You can make this permanent by putting that line into your .bashrc or bash_profile but keeping those secrets lying around poses a security risk.

Then, point Wireshark to that file:

  1. Go to preferences (press Ctrl+Shift+p) → Protocols → TLS (no need to scroll all the way down, you can type "TLS")
  2. Enter the path of the log file in "(Pre)-Master-Secret log filename"

Wireshark TLS preferences with (Pre)-Master-Secret log filename

Start capturing packets with Wireshark, create some TLS traffic (with curl for example), and inspect the decrypted data:

Wireshark packets with decrypted data

Your SSLKEYLOGFILE will contain lines like these:

CLIENT_RANDOM c1299911e65097c367c0124fb97548f81b618cbdc9c270c10a350c4fd39f3eb6 0d7523a42610316250b7a72fe2881daa6aff1bedf5955c64a747fc43bd93cbf1bf3650eeabb8f47b350feaedd7209952

Here are some resources regarding TLS in Wireshark:

The Wireshark version in this answer is 3.4.6 running on Arch Linux 5.12.9.

Roentgenoscope answered 23/6, 2021 at 7:15 Comment(2)
Where do you add the key file. How it just get decrypted?Baroness
@StanPeng: You define the location of the key log file with the environment variable SSLKEYLOGFILE. I chose the destination ~/.ssl-key.log by running export SSLKEYLOGFILE=~/.ssl-key.log in Bash. Then I used Wireshark's settings as shown in the answer to tell Wireshark that the key log file will be at ~/.ssl-key.log. Finally, if you use an application like curl that knows about SSLKEYLOGFILE, you'll get a file at ~/.ssl-key.log. Wireshark will read it and use it to decrypt the traffic.Roentgenoscope

© 2022 - 2024 — McMap. All rights reserved.