• Necessary Conditions

    Wireshark is capable of decrypting TLS/SSL traffic when certain conditions are met:

    • Wireshark was compiled with SSL decryption support (--with-gnutls)
    • RSA is used for key exchange
    • You have server's private key in PEM format (convert if necessary)
    • You can capture the initial TLS/SSL Handshake


    Wireshark needs to be configured for SSL decryption by defining a specially formatted string which contains server's IP address, port number, protocol, and the location of a private key file.

    In the GUI interface select Edit -> Preferences

    Next select Protocols -> SSL and fill in '''RSA keys list:''' field with a semicolon-separated list of private RSA keys used for SSL decryption; each list entry must be in the form of IP,PORT,PROTOCOL,KEYFILE. KEYFILE is a local file name of the RSA private key used by the server (or name of the file containing such a list). In this example we will add,443,http,/tmp/privkey.pem; string.

    You can also manually edit '''ssl.keys_list''' parameter in '''~/.wireshark/preferences''' file. Here is a sample entry for a local SSL server with a test private key in '''/tmp/privkey.pem'''.


    privkey.pem looks like an example below:

    -----END RSA PRIVATE KEY-----


    With proper configuration, Wireshark will now be able to decrypt already opened or future encrypted sessions using above configuration parameters.

    Similarly tshark will also be able to properly decrypt SSL traffic:

    tshark -r epiphany.pcap 
      1   0.000000 ->    TCP 36086 > https [SYN] Seq=0 Win=32792 Len=0 MSS=16396 TSV=5255645 TSER=0 WS=6
      2   0.000007 ->    TCP https > 36086 [SYN, ACK] Seq=0 Ack=1 Win=32768 Len=0 MSS=16396 TSV=5255645 TSER=5255645 WS=6
      3   0.000012 ->    TCP 36086 > https [ACK] Seq=1 Ack=1 Win=32832 Len=0 TSV=5255645 TSER=5255645
      4   0.000687 ->    SSL Client Hello
      5   0.000721 ->    TCP https > 36086 [ACK] Seq=1 Ack=163 Win=33856 Len=0 TSV=5255645 TSER=5255645
      6   0.000858 ->    SSLv3 Server Hello, Certificate, Server Hello Done
      7   0.000870 ->    TCP 36086 > https [ACK] Seq=163 Ack=647 Win=34112 Len=0 TSV=5255645 TSER=5255645
      8   0.050308 ->    SSLv3 Client Key Exchange, Change Cipher Spec, Finished
      9   0.053742 ->    SSLv3 Change Cipher Spec, Finished
     10   0.053763 ->    TCP 36086 > https [ACK] Seq=375 Ack=722 Win=34112 Len=0 TSV=5255659 TSER=5255659
     11   0.054818 ->    HTTP GET / HTTP/1.1 
     12   0.055169 ->    SSL [SSL segment of a reassembled PDU]
     13   0.055303 ->    TCP https > 36086 [FIN, ACK] Seq=2732 Ack=780 Win=36032 Len=0 TSV=5255659 TSER=5255659
     14   0.055317 ->    TCP 36086 > https [ACK] Seq=780 Ack=2733 Win=49280 Len=0 TSV=5255659 TSER=5255659
     15   0.055933 ->    SSLv3 Alert (Level: Warning, Description: Close Notify)
     16   0.055955 ->    TCP https > 36086 [RST] Seq=2733 Win=0 Len=0

    If you don't want to make permanent changes to your configuration file, you can define '''ssl.keys_list''' parameter inline when using tshark:

    tshark -o "ssl.keys_list:,443,http,/tmp/privkey.pem" -r epiphany.pcap

    External Links

    Published on April 12th, 2009 by iphelix


    tls/ssl protocol

    Transport Layer Security (TLS) and Secure Sockets Layer (SSL) are two closely related protocols designed to protect confidentiality and integrity of data in transit between two hosts. Read more.

    ios data interception

    Network traffic analysis is an important ingredient of a good iOS app pentest. The article covers several common approaches to iOS specific data interception such as network proxying, defeating network encryption, traffic injection and others. Read more.


    OpenSSL is an open-source TLS/SSL toolkit implemented for a variety of platforms. In this article you will learn several openssl client and server commands useful in working with TLS/SSL protocol. Read more.


    Stunnel allows a user to tunnel any TCP based application protocol through a connection secured by TLS/SSL. Read more.


    All original content on this site is copyright protected and licensed under Creative Commons - Attribution, NonCommercial, ShareAlike 4.0 International.