Decrypting TLS data with Wireshark on Mac

By | October 15, 2021

This post is about how decrypt TLS data with Wireshark using session key file. The session key file saves combination of secret keys which web browser used to encrypt or decrypt http traffic. Not all browsers may save session key, as I know only Google Chrome and Firefox permit to do this. The example below shows how to create session key file and capture decrypted data with Wireshark on Mac.
The first step is create environmental variable SSLKEYLOGFILE which specifies name and location of session key file. From terminal execute export command:


% export SSLKEYLOGFILE=~/Documents/sslkeylog.log

Verify value of SSLKEYLOGFILE variable.


% echo $SSLKEYLOGFILE
/Users/some.username/Documents/sslkeylog.log

Close all Google Chrome processes and using the same terminal session start Google Chrome in incognito mode:


% /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome -incognito

Alternatively without environmental variable:


% /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --ssl-key-log-file=/Users/some.username/Documents/sslkeylog.log -incognito

Open Wireshark, specify capture filters: host – yandex.ru and port – 443:
Wireshark capture filters

Start capturing encrypted web traffic.

In Chrome begin browsing yandex.ru website:
Yandex URL

Wireshark shows encrypted application data (Click on image to enlarge):

click to enlarge

Stop capturing. From Wireshark menu open Preferences, select Protocols and choose TLS:
Wireshark - Preferences - Protocols

In (Pre)-Master-Secret-Log filename enter path and name session key file:
Choose session key file

Start capturing again, in browser reload yander.ru page. Now Wireshark shows http2 protocol items in decrypted way (Click on image to enlarge):
“>click to enlarge

Leave a Reply

Your email address will not be published. Required fields are marked *