You are here: Home / Blogs / Using Wireshark to Decode SSL/TLS Packets
I mentioned in my Tcpdump Masterclass that Wireshark is capable of decrypting SSL/TLS encrypted data in
packets captured in any supported format and that if anyone wanted to know how for them to ask. Someone
did, so here it is.
This is an extremely useful Wireshark feature, particularly when troubleshooting within highly secure network
architectures. This article examines the requirements and Wireshark configuration required to do so and
provides some information on issues commonly encountered when using this feature.
Note Ive now also written a version of this article but using ssldump for real-time decryption at the command
line.
converted by Web2PDFConvert.com
Requirements
I know this list seems pretty long; I dont think thats necessarily a bad thing; if you cant meet all these
requirements, you probably shouldnt be attempting to decrypt the data. As ever, preparation is key; if you
think youll need to do this even if just once a month, find out what you need to do to make meeting these
prerequisites less onerous.
On Linux systems WireShark must be compiled against Gnu-TLS and GCrypt, not OpenSSL or
some other encryption suite; not something to worry about on Windows systems.
The private key used to encrypt the data must be available on the system running Wireshark.
The private key file must be in the PEM or PKCS12 format; if its not you can use OpenSSL to
convert what you have as appropriate, just Google it.
The private key file should only contain the private key, not the public key (aka the certificate).
Files frequently contain both, check by viewing the file in a true text editor. You only need the
text delimited by this;
Header:
BEGIN RSA PRIVATE KEY
Footer:
END RSA PRIVATE KEY
Any PEM private key file must not have a passphrase. It seems this is no longer an issue.
RSA keys must have been used to encrypt the data.
The capture must include both sides of a conversation. In other words, the capture must
include the full client and server exchange.
Important: The capture must include the initial SSL/TLS session establishment. In other
words, the CLIENTHELLO and SERVERHELLO exchange. Beware captures taken where a
session has been resumed. Ideally, ensure any capture either a) is of packets related to an
entirely new device connecting or b) where a device that has already previously established a
session is used, it is used after a considerable time after the last session was established.
Important: Ensure the use of a Diffie-Hellman Ephemeral (DHE/EDH) or RSA Ephemeral
cipher suite is not negotiated between the two hosts. This is indicated by the use of a
ServerKeyExchange message. There is no way to decrypt data where ephemeral ciphers are
used.
converted by Web2PDFConvert.com
Click the RSA Keys List Edit button, click New and then enter the following information;
IP Address is the IP address of the host that holds the private key used to decrypt the data
and serves the certificate (i.e. the decrypting host, the server)
Port is the destination port used to communicate with the host that holds the private key
used to decrypt the data and serves the certificate (i.e. the decrypting host, the server)
Protocol is the upper-layer protocol encrypted by SSL/TLS, for instance, the protocol
encrypted over a HTTPS web connection is HTTP
Key File select as necessary
Password is the passphrase used to protect the private key file, if any
I believe a wildcard IP address of 0.0.0.0 and wildcard port of 0 or data can be used.
Optionally, enter the path and file name of a debug file that you might find useful in helping you diagnose any
issues with the decryption. Note this may slow down the initial load of the capture file.
Then simply open the capture and, if youve met all the requirements, you should find the application data has
been unencrypted. If the standard SSL/TLS port isnt being used you may need to select a relevant packet and
then click Analyse > Decode As and then select SSL.
Summary
This can be a real life-saver and it can also be a real pain; especially if you tell others you can do it and then
find the capture you have isnt suitable or DHE or similar is in use. Make sure you caveat what might be
possible and ideally, avoid the need to do this at all, its better that way.
Just as an aside, on the subject of performance, try using ECXXX where you can, the performance is great. (For
those using F5s, I dont think these are native so probably that negates the benefits.)
Id highly recommend the free Crypto 101 course/book for those new to this subject (or needing to brush up).
Corrections are most welcome, for everyones benefit.
The icon Artwork used in this article is by the GNOME Project and licensed under the Creative Commons
Attribution-Share Alike 3.0 United States License.
Operation (Unicorn?) Mincemeat, Counter Security, and a book about JWAS
COMMENTS
Ivan Pepelnjak says
August 8, 2013 at 6:14 AM
Great post (including the explanation why and when SSL decode works I was looking for that a few
months ago and had to figure it out myself ;).
As for browser support I was making the exact same statement until my students corrected me: most
browsers have built-in Firebug-like debugger these days, including Chrome and Safari. To open it in
Chrome, right-click on anything and select Inspect this element, then select the Net tab.
Keep up the great work!
Ivan
Reply
Steven Iveson says
August 8, 2013 at 9:51 AM
Thanks Ivan, its appreciated. Cheers
Reply
Uros says
August 8, 2013 at 7:07 AM
You can also use built-in developer mode in Chrome (CTRL+SHIFT+i) to troubleshoot http/https
converted by Web2PDFConvert.com
headers.
Reply
Steven Iveson says
August 8, 2013 at 9:49 AM
Thanks Uros, Ive now referenced your comment in the article. Cheers
Reply
Jens says
August 9, 2013 at 2:28 PM
A great wireshark feature especially for vendor cases is that it can export SSL session keys into a plain
text file. If you dont mind giving away the clear data in the SSL packets this file can safely be sent to
the vendor.
Then it needs to be configured under Edit, Preferences, Protocols, SSL, Pre-Master-Secret log
filename and the SSL sessions in the loaded packet capture can be decrypted without the need of the
private key (that you most probably dont want to forward to the vendor).
Note: Same note as above applies you need to the the initial session establishment also!
Reply
Jens says
August 9, 2013 at 2:30 PM
Export can be found under File, Export SSL Session Keys.
Reply
Steven Iveson says
August 9, 2013 at 8:14 PM
Many thanks Jens, nice to learn something new! Ive updated the article quickly for now
referencing your comments, Ill update with full details sometime later. Thanks again.
Reply
converted by Web2PDFConvert.com
converted by Web2PDFConvert.com
Cerber says
April 28, 2016 at 12:30 PM
Thank you for the article!
Reply
Karan says
June 20, 2016 at 10:39 PM
I have a Apache server installed on Ubuntu.
I have a generated self signed ssl certificate and key file.
I need to capture and decrypt ssl traffic of my webpage on localhost using wireshark.
Reply
Steven Iveson says
June 21, 2016 at 11:04 AM
Hey Karan,
In that case you have everything you need to decrypt the traffic as described in the article. Feel
free to PM me on Twitter if you need a bit of help.
Reply
LEAVE A REPLY
Your email address will not be published. Required fields are marked *
Name *
Email *
Website
Comment
POST COMMENT
converted by Web2PDFConvert.com
LATEST PODCASTS
THE WEEKLY SHOW
Show 315: Future Of Networking Pradeep Sindhu November 18, 2016
NETWORK BREAK
Network Break 112: Facebook Opens 100G Backpack; Broadcom Borrows Billions November 14, 2016
DATANAUTS
Datanauts 060: Running OpenStack In Containers November 16, 2016
PRIORITY QUEUE
PQ Show 100: Engineers At The Bar Round 2 November 17, 2016
converted by Web2PDFConvert.com
First Name
Last Name
SUBSCRIBE
A bi-weekly newsletter about the human side of life in IT.
Last Name *
SUBSCRIBE
Blogs, news, and podcasts from the Packet Pushers community delivered weekly.
Supporters' Newsletter
* indicates required
Email Address *
First Name
Last Name
SUBSCRIBE
Infrequent update with Packet Pushers news and events.
RECENT COMMENTS
fbifido (@fbifido) on The Scaling Limitations of Etherchannel -Or- Why 1+1 Does Not Equal 2
converted by Web2PDFConvert.com
converted by Web2PDFConvert.com
SEARCH FORUMS
SEARCH
converted by Web2PDFConvert.com
All content 2015 Packet Pushers Interactive, LLC. All rights reserved.
converted by Web2PDFConvert.com