Difference between revisions of "Decrypting TLS Browser Traffic With Wireshark"
(Created page with "Category:Wireshark and Network Testing The full write up is [https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/ here]. In summar...") |
|||
Line 2: | Line 2: | ||
The full write up is [https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/ here]. | The full write up is [https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/ here]. | ||
− | In summary | + | In summary<br /> |
− | 1) Set Firefox or Chrome to log session keys by adding an environment variable. | + | 1) Set Firefox or Chrome to log session keys by adding an environment variable.<br /> |
Windows: Set a User Variable SSLKEYLOGFILE to specify the file e.g. c:/temp/sslkeylog.log | Windows: Set a User Variable SSLKEYLOGFILE to specify the file e.g. c:/temp/sslkeylog.log | ||
− | + | <br /> | |
− | Mac OSX: | + | Mac OSX:<br /> |
Setting an environment variable with EXPORT will only apply to that session. Launching a browser or other web client outside of the session will not have the environment variable set. | Setting an environment variable with EXPORT will only apply to that session. Launching a browser or other web client outside of the session will not have the environment variable set. | ||
# export SSLKEYLOGFILE=/Users/username/sslkeylogs/output.log | # export SSLKEYLOGFILE=/Users/username/sslkeylogs/output.log | ||
Line 16: | Line 16: | ||
− | 2) Point Wireshark at the keylog file | + | 2) Point Wireshark at the keylog file<br /> |
>Edit >Preferences >Protocols >SSL >"(Pre)-Master-Secret log filename:" | >Edit >Preferences >Protocols >SSL >"(Pre)-Master-Secret log filename:" | ||
When viewing a trace containing TLS traffic the packet after the "Changed Cipher Spec, Finished" would normally by an unreadable TLSv1 Protocol with Application Data shown in the Info column. With the log file specified the protocol is shown as HTTP and you can view GET request etc. in the Info column. | When viewing a trace containing TLS traffic the packet after the "Changed Cipher Spec, Finished" would normally by an unreadable TLSv1 Protocol with Application Data shown in the Info column. With the log file specified the protocol is shown as HTTP and you can view GET request etc. in the Info column. | ||
There is also a new "Decrypted SSL data" tab shown below the hex view. | There is also a new "Decrypted SSL data" tab shown below the hex view. |
Revision as of 04:13, 26 August 2016
The full write up is here.
In summary
1) Set Firefox or Chrome to log session keys by adding an environment variable.
Windows: Set a User Variable SSLKEYLOGFILE to specify the file e.g. c:/temp/sslkeylog.log
Mac OSX:
Setting an environment variable with EXPORT will only apply to that session. Launching a browser or other web client outside of the session will not have the environment variable set.
# export SSLKEYLOGFILE=/Users/username/sslkeylogs/output.log # open -a firefox # wireshark
Linux:
$ export SSLKEYLOGFILE=~/path/to/sslkeylog.log
2) Point Wireshark at the keylog file
>Edit >Preferences >Protocols >SSL >"(Pre)-Master-Secret log filename:"
When viewing a trace containing TLS traffic the packet after the "Changed Cipher Spec, Finished" would normally by an unreadable TLSv1 Protocol with Application Data shown in the Info column. With the log file specified the protocol is shown as HTTP and you can view GET request etc. in the Info column. There is also a new "Decrypted SSL data" tab shown below the hex view.