Decrypt HTTPS Traffic Using Wireshark And Key File

wireshark-logoWireshark is a useful tool in troubleshooting. Wireshark can decrypt SSL traffic as long as you have the server private key. This can be extremely useful, if you have to debug HTTPS traffic and cannot use HTTP instead.

First we will capture a HTTPS traffic for our testing. Here our HTTPS server’s ip address is 192.168.x.x and the port is default 443. I prefer to use tcpdump for packet capture but you can do it using the Wireshark.

The below command will capture all the encrypted traffic to and from from our server.

$ sudo tcpdump -w /tmp/ssl.pcap  -ni eth0 -s0  host 192.168.x.x port 443

The captured data will go to the ssl.pcap file. Once you have the captured packets in the file open it in the Wireshark. Use the “Follow TCP Stream” options and you can see the encrypted data.

Screenshot-Follow TCP Stream
Next thing we need is the server’s private key. Once you have the key file to decrypt the traffic, just goto “Edit -> Preferences”. Now on the left side menu choose “Protocols -> SSL”. Fill “RSA Key list” field in the format <host>, <port>, <protocol>, <key_file>. ie We will specify the server’s IP address, the port on which the server listens and the path to the server’s private key. The file format needed for the server’s private key is PEM. In our example it is 192.168.x.x, 443, https, /path/to/keyfile.pem.

Now Apply the setting and return to main window.

Now if you click on each row you can see a “Decrypted SSL Data (size) “ tab on the bottom of “Packet Bytes” frame. This tab will be shown if there is any decrypted data available.

Screenshot-ssl.pcap - Wireshark-1

You can now use the “Follow SSL Stream” option to view the decrypted data stream.

Screenshot-ssl.pcap - Wireshark

Happy decrypting 😉