Search this website

You are here: Home / Blogs / Using Wireshark to Decode SSL/TLS Packets

Using Wireshark To Decode SSL/TLS Packets

AUGUST 7, 2013 BY STEVEN IVESON

I mentioned in my Tcpdump Masterclass that Wireshark is capable of decrypting SSL/TLS encrypted data in
packets captured in any supported format and that if anyone wanted to know how for them to ask. Someone
did, so here it is.
This is an extremely useful Wireshark feature, particularly when troubleshooting within highly secure network
architectures. This article examines the requirements and Wireshark configuration required to do so and
provides some information on issues commonly encountered when using this feature.
Note Ive now also written a version of this article but using ssldump for real-time decryption at the command
line.

Isnt SSL/TLS Secure?

Dont let this article give you the impression its not; as youll see from the next section, theres a good deal of
requirements that must be met. However, there are plenty of other reasons to consider it insecure. If youre
reading this article and youre responsible for and care about the privacy and security of your traffic, please
keep in mind that SSL/TLS, in reality, presents no more than a faade of security today; in the same way money
apparently represents real value and different sex marriages normality and stability.
Ignoring our post-PRISM world for a moment (everyone is anyway right?); from a technical standpoint SSLv2
(regardless of the ciphers etc. used with it) is widely considered as insecure. You really shouldnt be using it;
however, dont just use v3 or TLS and consider that enough to offer a good security posture. How its configured
and the options and ciphers you allow (or not) are far more important, but thats an article for another day.
Taking PRISMs (and other countrys similar programs) implications into account, frequent technical
weaknesses exploited through techniques such as BEAST or BREACH, the ease with which a fake CA can be
installed on most devices and the decidedly risky nature of trusting any Certificate Authorities (CAs) after
recent scandals and revelations, Id have a hard time convincing anyone to use SSL/TLS. That is, if there was an
alternative, which there isnt. It probably doesnt matter anyway, why try and break encryption when you can
just knock on the door and ask politely like most government agencies and police forces can in some form or
other.
I use self-signed certificates for the on-line services I run for myself; theres a reason I run them myself. Any
false security I may have had around any large organisation (including government) being as fallible and
poorly organised as the people within it and unable to consume the necessary volume of information to be
effective without genuinely prohibitive expense has vanished in recent years. Again, you can read more about
that in a later article; Im far from a security pro so take this whole section with a pinch of salt.

converted by Web2PDFConvert.com

Requirements
I know this list seems pretty long; I dont think thats necessarily a bad thing; if you cant meet all these
requirements, you probably shouldnt be attempting to decrypt the data. As ever, preparation is key; if you
think youll need to do this even if just once a month, find out what you need to do to make meeting these
prerequisites less onerous.

On Linux systems WireShark must be compiled against Gnu-TLS and GCrypt, not OpenSSL or
some other encryption suite; not something to worry about on Windows systems.
The private key used to encrypt the data must be available on the system running Wireshark.
The private key file must be in the PEM or PKCS12 format; if its not you can use OpenSSL to
convert what you have as appropriate, just Google it.
The private key file should only contain the private key, not the public key (aka the certificate).
Files frequently contain both, check by viewing the file in a true text editor. You only need the
text delimited by this;
Header:
BEGIN RSA PRIVATE KEY
Footer:
END RSA PRIVATE KEY
Any PEM private key file must not have a passphrase. It seems this is no longer an issue.
RSA keys must have been used to encrypt the data.
The capture must include both sides of a conversation. In other words, the capture must
include the full client and server exchange.
Important: The capture must include the initial SSL/TLS session establishment. In other
words, the CLIENTHELLO and SERVERHELLO exchange. Beware captures taken where a
session has been resumed. Ideally, ensure any capture either a) is of packets related to an
entirely new device connecting or b) where a device that has already previously established a
session is used, it is used after a considerable time after the last session was established.
Important: Ensure the use of a Diffie-Hellman Ephemeral (DHE/EDH) or RSA Ephemeral
cipher suite is not negotiated between the two hosts. This is indicated by the use of a
ServerKeyExchange message. There is no way to decrypt data where ephemeral ciphers are
used.

Configuring Wireshark to Decrypt Data

In Wireshark click Edit>Preferences
Select and expand Protocols, scroll down (or just type ssl) and select SSL

converted by Web2PDFConvert.com

Click the RSA Keys List Edit button, click New and then enter the following information;

IP Address is the IP address of the host that holds the private key used to decrypt the data
and serves the certificate (i.e. the decrypting host, the server)
Port is the destination port used to communicate with the host that holds the private key
used to decrypt the data and serves the certificate (i.e. the decrypting host, the server)
Protocol is the upper-layer protocol encrypted by SSL/TLS, for instance, the protocol
encrypted over a HTTPS web connection is HTTP
Key File select as necessary
Password is the passphrase used to protect the private key file, if any
I believe a wildcard IP address of 0.0.0.0 and wildcard port of 0 or data can be used.
Optionally, enter the path and file name of a debug file that you might find useful in helping you diagnose any
issues with the decryption. Note this may slow down the initial load of the capture file.
Then simply open the capture and, if youve met all the requirements, you should find the application data has
been unencrypted. If the standard SSL/TLS port isnt being used you may need to select a relevant packet and
then click Analyse > Decode As and then select SSL.

Allowing Others to Decrypt Without The Private Key

Thanks to Jens for his comments below around extracting the session keys from a decrypted capture; therefore
avoiding sending a vendor or other party that you want to see the unencrypted data your valuable private key.
To do this, decrypt the capture as detailed above and then click File > Export SSL Session Keys, provide a file
name and save to an appropriate location. You can then send this file, along with the capture to someone you
wish to decrypt the captured data; all they then need to do is;
Load the capture in Wireshark and then click Edit>Preferences
Select and expand Protocols, scroll down (or just type ssl) and select SSL
Click the Browse button to the right of (Pre)-Master-Secret log filename and select the session key filename
that you also sent to them.
Cloudshark also tweeted to say: in CloudShark you can keep your keys secure decode without sharing! I
was rather dubious about the security (or rather lack of it) of providing keys to a cloud service but it turns out
they now provide appliances. Thus your keys truly remain under your control and you can provide access to
decoded captures without having to provide your keys. However, I assume this means you need to provide
access to your appliances interface.

Notes & Issues

Ensure youve met all the requirements listed earlier.
Wireshark can only decrypt SSL/TLS packet data if RSA keys are used to encrypt the data. If a
Diffie-Hellman Ephemeral (DHE) or RSA ephemeral cipher suite is used, the RSA keys are only
used to secure the DH or RSA exchange, not encrypt the data. Thus, even if you have the
correct RSA private key, you will not be able to decrypt the data with Wireshark or any other
tool. You can check which cipher suite is being used by examining the Server Hello packet
sent by the host that holds the private key, if the cipher suite specified begins TLS_DHE or
SSL_DHE, you will not be able to decrypt the data. If the server sends a ServerKeyExchange
message, you will not be able to decrypt the data. Ive no idea how to prevent RSA ephemeral
use. For DHE, your only option (if possible) is to modify either the client or server
converted by Web2PDFConvert.com

configuration so that DHE cipher suites are not used.

For Firefox, enter this URL in the address bar: about:config, click the warning button
and then enter this in the filter bar: security.ssl3.dhe. Set each preference displayed to:
false and then filter again for security.ssl3.ecdhe and do the same again.
Server side (not recommended), if using OpenSSL you could also change any configured
cipher strings to include !DHE and !ECDHE
With Java something like jdk.TLS.disabledALGORITHMS=DHE, ECDHE in the relevant place
should suffice
The issue detailed above may also occur with exportable RSA cipher suites (those using keys
under 1024 bits in size) which you shouldnt be using anyway.
Wireshark can only decrypt SSL/TLS packet data if the capture includes the initial SSL/TLS
session establishment. Re-used sessions cannot be decrypted; you can identify these as the
server will not send a certificate or alternatively, the Wireshark SSL debug file will display a
ssl_restore_session cant find stored session error message.
Ensure the IP address used in the RSA Keys List entry is the IP address as seen in the capture.
Due to NATting this may not be the IP the client uses or the servers real IP address.
For Linux users, if you dont have the RSA Keys List button available, its likely Wireshark was
not compiled against GnuTLS. You can check this by running the command wireshark -v. The
output should include GnuTLS and GCrypt, if it doesnt, reconfigure Wireshark with withgnutls, recompile and reinstall.
Check your PEM private key file contains the correct header and footer, as shown previously,
and no others;
Check your private key file is in the correct format: PEM or PKCS12.
Update: Twitter just led me to this article from Dominic Tulley of IBM that suggests duplicate
packets may also cause issues and prevent all relevant packets being decrypted. If you
experience this issue, the answer is to use editcap -d to remove duplicate packets from the
capture file.

Summary
This can be a real life-saver and it can also be a real pain; especially if you tell others you can do it and then
find the capture you have isnt suitable or DHE or similar is in use. Make sure you caveat what might be
possible and ideally, avoid the need to do this at all, its better that way.
Just as an aside, on the subject of performance, try using ECXXX where you can, the performance is great. (For
those using F5s, I dont think these are native so probably that negates the benefits.)

If youre running Linux, also consider ssldump.

If youre trying to troubleshoot HTTP issues, you may be better off running iehttpheaders for
IE or LiveHTTPHeaders for Firefox on the client browser. As noted in the comments below,
you can also use the built in developer/debugging tools available in Chrome or Safari.
converted by Web2PDFConvert.com

Id highly recommend the free Crypto 101 course/book for those new to this subject (or needing to brush up).
Corrections are most welcome, for everyones benefit.
The icon Artwork used in this article is by the GNOME Project and licensed under the Creative Commons
Attribution-Share Alike 3.0 United States License.
Operation (Unicorn?) Mincemeat, Counter Security, and a book about JWAS

Negotiating your salary

About Steven Iveson

Steven Iveson, the last of four children of the seventies, was born in London and was never
too far from a shooting, bombing or riot. He's now grateful to live in a small town in East
Yorkshire in the north east of England with his wife Sam and their four children. He's worked
in the IT industry for over 20 years in a variety of roles, predominantly in data centre and internet facing
environments. Steve has been awarded F5 DevCentral MVP for 2015 and 2016.

COMMENTS
Ivan Pepelnjak says
August 8, 2013 at 6:14 AM
Great post (including the explanation why and when SSL decode works I was looking for that a few
months ago and had to figure it out myself ;).
As for browser support I was making the exact same statement until my students corrected me: most
browsers have built-in Firebug-like debugger these days, including Chrome and Safari. To open it in
Chrome, right-click on anything and select Inspect this element, then select the Net tab.
Keep up the great work!
Ivan
Reply
Steven Iveson says
August 8, 2013 at 9:51 AM
Thanks Ivan, its appreciated. Cheers
Reply

Uros says
August 8, 2013 at 7:07 AM
You can also use built-in developer mode in Chrome (CTRL+SHIFT+i) to troubleshoot http/https
converted by Web2PDFConvert.com

headers.
Reply
Steven Iveson says
August 8, 2013 at 9:49 AM
Thanks Uros, Ive now referenced your comment in the article. Cheers
Reply

Jens says
August 9, 2013 at 2:28 PM
A great wireshark feature especially for vendor cases is that it can export SSL session keys into a plain
text file. If you dont mind giving away the clear data in the SSL packets this file can safely be sent to
the vendor.
Then it needs to be configured under Edit, Preferences, Protocols, SSL, Pre-Master-Secret log
filename and the SSL sessions in the loaded packet capture can be decrypted without the need of the
private key (that you most probably dont want to forward to the vendor).
Note: Same note as above applies you need to the the initial session establishment also!
Reply
Jens says
August 9, 2013 at 2:30 PM
Export can be found under File, Export SSL Session Keys.
Reply
Steven Iveson says
August 9, 2013 at 8:14 PM
Many thanks Jens, nice to learn something new! Ive updated the article quickly for now
referencing your comments, Ill update with full details sometime later. Thanks again.
Reply

Martin Zivny says

August 27, 2014 at 3:00 PM
How change cipher order in Explorer: run gpedit.msc , Choose Computer Configuration |
Administrative Templates | Network | SSL Configuration Settings.
Theres only one item here: SSL Cipher Suite Order. Open it.Select Enabled.
Reply

converted by Web2PDFConvert.com

What Lies Beneath says

August 28, 2014 at 3:41 PM
Thanks Martin. Id be very interested to know how Windows uses these settings. Does this
influence Internet Explorer? Anything else like built in VPN functionality?
Reply

Jussi Jskelinen says

August 14, 2015 at 10:33 AM
Hi, great article, definitely!
Just a question regarding MTLS. Would decode work with MTLS or is that the case you referred as If
the server sends a ServerKeyExchange message, you will not be able to decrypt the data.?
Cheers, Jussi
Reply
Steven Iveson says
August 17, 2015 at 10:47 AM
Hey Jussi,
Im not familiar with MTLS, but based on a quick Google, it would seem everything in this article
would apply to MTLS (for better or worse). Once decrypted, I assume that a further level of
decapsulation is required to identify/tie the packets to a particular stream/aplication.
Reply

Ward Willats says

December 17, 2015 at 2:36 AM
Trying to decode DTLS with Wireshark 2.0.0 for a custom product and discovered, that, yes, you have to
pick the right cipher RSA key exchange cipher suite (which you can find with:
openssl ciphers kRSA
..but also the decoder/disector gets totally confused IF YOU HAVE THE CLIENT SEND A CERTIFICATE
WITH A DIFFERENT PUBLIC/PRIVATE KEY PAIR DURING HANDSHAKE. Seems you MUST only have the
SERVER send a cert.
Thanks for this great page! Big help today.
Reply
Steven Iveson says
December 17, 2015 at 12:38 PM
Thanks Ward, good to know, Ill have a play and look at adding this as soon as I can. Thanks again.
Reply

converted by Web2PDFConvert.com

Cerber says
April 28, 2016 at 12:30 PM
Thank you for the article!
Reply

Karan says
June 20, 2016 at 10:39 PM
I have a Apache server installed on Ubuntu.
I have a generated self signed ssl certificate and key file.
I need to capture and decrypt ssl traffic of my webpage on localhost using wireshark.
Reply
Steven Iveson says
June 21, 2016 at 11:04 AM
Hey Karan,
In that case you have everything you need to decrypt the traffic as described in the article. Feel
free to PM me on Twitter if you need a bit of help.
Reply

LEAVE A REPLY
Your email address will not be published. Required fields are marked *
Name *

Email *

Website

Comment

POST COMMENT
converted by Web2PDFConvert.com

LATEST PODCASTS
THE WEEKLY SHOW
Show 315: Future Of Networking Pradeep Sindhu November 18, 2016

NETWORK BREAK
Network Break 112: Facebook Opens 100G Backpack; Broadcom Borrows Billions November 14, 2016

DATANAUTS
Datanauts 060: Running OpenStack In Containers November 16, 2016

PRIORITY QUEUE
PQ Show 100: Engineers At The Bar Round 2 November 17, 2016

THE COMMUNITY SHOW

Infotrek Episode 7: Windows Server 2016 July 19, 2016

Human Infrastructure Magazine

* indicates required
Email Address *

converted by Web2PDFConvert.com

First Name

Last Name

SUBSCRIBE
A bi-weekly newsletter about the human side of life in IT.

Weekly Compendium List

* indicates required
Email Address *

First Name (helps us detect spam signups) *

Last Name *

SUBSCRIBE
Blogs, news, and podcasts from the Packet Pushers community delivered weekly.

Supporters' Newsletter
* indicates required
Email Address *

First Name

Last Name

SUBSCRIBE
Infrequent update with Packet Pushers news and events.

RECENT COMMENTS
fbifido (@fbifido) on The Scaling Limitations of Etherchannel -Or- Why 1+1 Does Not Equal 2
converted by Web2PDFConvert.com

Nage on IP FRR and Micro-loops Part 1

Ronald on Networks Are Obsolete, Insecure and Its not Getting Better
John W Kerns on RadiUID: Palo Alto User-ID and RADIUS
Dan Tan on One leg too few? Architectural Best Practice on SSL VPNs
Neill on Networks Are Obsolete, Insecure and Its not Getting Better

Silver Peak, Masergy Partner On SD-WAN Service

SEPTEMBER 22, 2016 BY DREW CONRY-MURRAY LEAVE A COMMENT

OpenDaylight Boron Gets Telco Love, But What About The

Enterprise?
SEPTEMBER 21, 2016 BY DREW CONRY-MURRAY 4 COMMENTS

Riverbeds SteelConnect 2.0: Late, But Not Too Late, To The

SD-WAN Party
SEPTEMBER 20, 2016 BY DREW CONRY-MURRAY LEAVE A COMMENT

Brocades New Router Can Run Visibility, Monitoring

Applications
SEPTEMBER 14, 2016 BY DREW CONRY-MURRAY 2 COMMENTS

Foghorn: Real-Time Decision Making For IIoT

SEPTEMBER 14, 2016 BY ETHAN BANKS LEAVE A COMMENT

Riverbed: Were An SD-WAN Company

SEPTEMBER 13, 2016 BY DREW CONRY-MURRAY LEAVE A COMMENT

Intel Sells McAfee To Investment Firm, Retains A Stake

SEPTEMBER 8, 2016 BY DREW CONRY-MURRAY LEAVE A COMMENT

Avaya Hypersegmentation Secures The Everywhere Perimeter

SEPTEMBER 8, 2016 BY ETHAN BANKS LEAVE A COMMENT

HPE To Spin Off Software Assets In $8.6 Billion Transaction

SEPTEMBER 7, 2016 BY DREW CONRY-MURRAY LEAVE A COMMENT

VMware Cross-Cloud: Your One Interface To Public Cloud?

SEPTEMBER 7, 2016 BY ETHAN BANKS LEAVE A COMMENT

converted by Web2PDFConvert.com

Snapshot: Email (Still) Rules

NOVEMBER 1, 2016 BY DREW CONRY-MURRAY

Take The NetDevOps Survey On Network Automation

OCTOBER 31, 2016 BY DREW CONRY-MURRAY

Is IoT Transforming Your IT?

OCTOBER 19, 2016 BY ETHAN BANKS

Live From New York Its Packet Pushers Podcast!

OCTOBER 19, 2016 BY ROBIN YOUNG

Snapshot: Caffeine Achievers

OCTOBER 18, 2016 BY DREW CONRY-MURRAY

Join The Packet Pushers At ONUG Fall 2016!

OCTOBER 17, 2016 BY ROBIN YOUNG

Open Source. The Cheap Alternative?

OCTOBER 17, 2016 BY ETHAN BANKS

12 Unobvious Things About VMware Cloud/SDDC On AWS

OCTOBER 14, 2016 BY GREG FERRO

A Look Back At My 2013 SDN Categories

OCTOBER 14, 2016 BY ETHAN BANKS

Say SDN Again

OCTOBER 13, 2016 BY ETHAN BANKS

SEARCH FORUMS

SEARCH

converted by Web2PDFConvert.com

All content 2015 Packet Pushers Interactive, LLC. All rights reserved.

converted by Web2PDFConvert.com