Open in app

Sign in

Write

Sign in

Mastering Network Troubleshooting: Decrypting HTTPS Traffic with Wireshark, Part II

Prabhash Dilhan Akmeemana
6 min readApr 29, 2024

--

In the previous blog post, I talked about how we can use the Wireshark to analyze the TCP dump to troubleshoot network issues and I shared some tips to make your life easier. In this blog post, I will be discussing how we can decrypt the HTTPS traffic in Wireshark to see the content of the packets.

Using a pre-master secret key to decrypt HTTPS traffic in Wireshark

What is pre-master secret key

The pre-master secret key is a critical component in the SSL/TLS handshake process, used to establish a secure and encrypted communication session over the internet. The pre-master secret is a random key generated by the client in an SSL/TLS handshake. It is encrypted with the server’s public key and sent to the server. Only the server, with its corresponding private key, can decrypt the pre-master secret. The primary purpose of the pre-master secret is to contribute to the generation of the master secret, a longer-lived key from which session keys are derived. These session keys are used for encrypting and authenticating the session data. During the SSL/TLS handshake, after the server sends its certificate containing the public key to the client, the client generates a random pre-master secret. The client encrypts the pre-master secret using the server’s public key (from the server’s digital certificate). The encrypted pre-master secret is then sent to the server.

Capturing and analyzing the pre-master secret key in Wireshark is a critical aspect of debugging SSL/TLS encrypted traffic. By default, encrypted traffic such as HTTPS, cannot be easily read or analyzed in Wireshark because the contents are encrypted. To decrypt and analyze this traffic in Wireshark, you need access to the pre-master secret key. Here’s how you can use it:

Exporting the Pre-Master Secret Key

To decrypt SSL/TLS traffic in Wireshark, you need to export the pre-master secret key from the client or server during an SSL/TLS session. The method to do this varies depending on the software and its configuration.

Here is the way for browsers: Mozilla Firefox and Google Chrome

Set the SSLKEYLOGFILE environment variable on your system to a file path where you want to store the keys.

Windows

  • On Windows, you’ll need to set an environment variable using the Advanced system settings utility. This variable, named SSLKEYLOGFILE, contains a path where the pre-master secret keys are stored.
  • Start by right-clicking on My Computer, and selecting Properties from the menu. The System menu will open.
  • Next, click Advanced System Settings on the list to the left. The System Properties window will open.
  • On the Advanced tab, click the Environment Variables button.
  • Click the New… button under User variables. You can also create the variable under System variables if you’d like to log SSL keys for every user on the system as well.
  • Under the Variable name, type the following:
SSLKEYLOGFILE
  • Under the Variable value section, provide a path to create the secret log file
C:\User\test\wireshark\ssl-key.log

On Linux or macOS

You can use the below command to export the environment variable in a terminal session. Or you can add this to ~/.bash_profile or ~/.zshrc on mac or ~/.bashrc on Linux.

export SSLKEYLOGFILE=/path/to/ssl-keys.log

After setting this environment variable, you can restart the browsers and any SSL/TLS connections made by the browser will log the necessary keying material to the specified file. (In Mac or Linux, if you use the export command directly in the terminal, the environment variable will be available only for that terminal session. Then you need to start the web browsers from the same terminal to capture the secret log)

Python application

Let’s say you are using a Python client or server to handle HTTPS traffic and you want to decrypt the captured traffic to analyze it using Wireshark. For the python also, you can use the same environment variable name with the file path that we used for browsers. You can set it from the Python application as below. This was tested and confirmed using the Python 3.12.3 version.

import socket
import datetime
import ssl  # Import the ssl module
import os

def https_get(host, path, timeout=10):
    port = 443  # HTTPS uses port 443
    buffer_size = 4096  # Typical size for a buffer

    keylog_path = '/Users/prabhash/Documents/tcpdump/ssl-keys.log'

    os.environ["SSLKEYLOGFILE"] = keylog_path
.
.
.
.

Java application

  • You need to download the jar file extract-tls-secrets-4.0.0.jar from [1].
  • Then add the javaagent as a JVM argument as follows and start the server. This was tested and confirmed using Java 11 and 8.
   -javaagent:{path to jar file}={path to secret file}

Once you configured the key log file, you can capture a TCP dump while the application is transferring HTTPS traffic. Then it will generate the pre-master secrets keys similar to below.

# TLS secrets log file, generated by OpenSSL / Python
SERVER_HANDSHAKE_TRAFFIC_SECRET afc2ae54683baa42588d25d5d492f88f506f53a5583e81e20b365dca5c1b9e9c 9ab5ee335bd35f392de9f38ce90c685e59044b04f9e417a4257c1cf859cdd69c4a14c1ff3c40511be703b668be459e6f
EXPORTER_SECRET afc2ae54683baa42588d25d5d492f88f506f53a5583e81e20b365dca5c1b9e9c 74298de214b6b3fd201cb56e6853b38efbca8fbf587a2eea22cd68280857d8793608bd4a1256a5da5742985858ab9c55
SERVER_TRAFFIC_SECRET_0 afc2ae54683baa42588d25d5d492f88f506f53a5583e81e20b365dca5c1b9e9c fa5276e40e9b453b8b920b9162e1e8451814cdca6dbd0e8005acc1f9c345306b8ed386523811d63261ae3c1e10e99708
CLIENT_HANDSHAKE_TRAFFIC_SECRET afc2ae54683baa42588d25d5d492f88f506f53a5583e81e20b365dca5c1b9e9c a79255233343bd93344dea1fb61c688e83a043b998903f77c83da6072d2685c68a750cd0a30a14dd67beb2041842cce7
CLIENT_TRAFFIC_SECRET_0 afc2ae54683baa42588d25d5d492f88f506f53a5583e81e20b365dca5c1b9e9c d81347acc941be562bb91340c3375dde525553c932ca5a9dd13ac309bab6b059480c985fae4b58ce54a8c8072140ef30

Then you can open the TCP dump using Wireshark and configure Wireshark to use the key logs file to decrypt the encrypted packets.

Configuring Wireshark to Use the Key Log File

Once you have your key log file, you need to tell Wireshark where to find it:

  • Open Wireshark.
  • Go to Edit > Preferences (or Wireshark > Preferences on macOS).
  • Expand the Protocols list and scroll down to TLS.
  • In the TLS protocol settings, find the (Pre)-Master-Secret log filename field and browse to the location of your SSL key log file.
  • Click OK to save the preferences.

Analyzing Decrypted Traffic

Once you configured the key log file, it will decrypt the HTTPS traffic and you will be able to see the decrypted content as below.

Even you can search packet contents and it will be able to search and filter the relevant packets.

Security Considerations

Security Risks: Keep in mind that exporting and storing pre-master secrets can pose significant security risks. If an attacker gains access to the key log file, they can decrypt your network traffic. Hence, if you use this feature in production environments, make sure to disable it and delete the secret log file once your analysis is completed.

Stay tuned for the next installment in this blog series where we will delve into various filtering mechanisms of the tcpdump command, further enhancing your network troubleshooting skills.

[1] https://repo1.maven.org/maven2/name/neykov/extract-tls-secrets/4.0.0/extract-tls-secrets-4.0.0.jar

Https
Wireshark
Tcpdump
Network Troubleshooting
Decrypt Https

--

--

Prabhash Dilhan Akmeemana

Written by Prabhash Dilhan Akmeemana

119 Followers

Integration Engineer @WSO2

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams