This post is about how decrypt TLS data with Wireshark using session key file. The session key file saves combination of secret keys which web browser used to encrypt or decrypt http traffic. Not all browsers may save session key, as I know only Google Chrome and Firefox permit to do this. The example below shows how to create session key file and capture decrypted data with Wireshark on Mac.
The first step is create environmental variable SSLKEYLOGFILE which specifies name and location of session key file. From terminal execute export command:
% export SSLKEYLOGFILE=~/Documents/sslkeylog.log |
Verify value of SSLKEYLOGFILE variable.
% echo $SSLKEYLOGFILE /Users/some.username/Documents/sslkeylog.log |
Close all Google Chrome processes and using the same terminal session start Google Chrome in incognito mode:
% /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome -incognito |
Alternatively without environmental variable:
% /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --ssl-key-log-file=/Users/some.username/Documents/sslkeylog.log -incognito |
Open Wireshark, specify capture filters: host – yandex.ru and port – 443:
Start capturing encrypted web traffic.
In Chrome begin browsing yandex.ru website:
Wireshark shows encrypted application data (Click on image to enlarge):
Stop capturing. From Wireshark menu open Preferences, select Protocols and choose TLS:
In (Pre)-Master-Secret-Log filename enter path and name session key file:
Start capturing again, in browser reload yander.ru page. Now Wireshark shows http2 protocol items in decrypted way (Click on image to enlarge):
“>