Feb 13, 2017
Like VT for packets
seen from United Kingdom
seen from Singapore
seen from Norway
seen from United States
seen from United States
seen from United States
seen from Iraq
seen from United Kingdom
seen from United Kingdom
seen from United States
seen from United States
seen from Kosovo
seen from United States
seen from Türkiye
seen from Malaysia
seen from United States
seen from Sweden
seen from United States
seen from China
seen from France
Like VT for packets
Wireshark tips #5: Decrypting HTTPS
TShark 1.2.15, Oracle Enterprise Linux 6.5
If you are on a web server that is serving SSL, then you can use tshark on that server to decrypt the traffic off the wire. Copy the RSA private key file that your web service is using to /root/private-rsa.key in PKCS#1 format (PKCS#1 files begin with "-----BEGIN RSA PRIVATE KEY-----"), then run:
tshark -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:,443,http,/root/private-rsa.key" -o "ssl.debug_file:rsa_private.log" -R "(tcp.port eq 443)" port 443
Note that tshark has to capture the beginning of an SSL session in order to decrypt it. If your SSL client machine is Windows, you can force a new SSL session by doing the following:
Internet Explorer > Internet Preferences
On the General tab, click Delete…, and delete everything
On the Content tab, click "Clear SSL state"
If you find that tshark is not showing HTTP traffic, meaning it's still encrypted, then check the decryption log rsa_private.log
Another option is to capture the traffic with tcpdump or tshark and decrypt it later using Wireshark. To do that, in Wireshark,
Capture HTTPS traffic on server/load balancer using tcpdump or tshark:
tcpdump -s 0 -w /tmp/ssl.cap
or
tshark -F pcapng -w /tmp/ssl.pcapng port 443
Edit > Preferences
Expand Protocols
Select SSL
Click Edit… beside RSA keys list:
Click New
For IP address, enter 0.0.0.0 (sometimes you have to explicitly put in the server/load balancer IP address here)
For Port, enter 0 (sometimes you have to explicitly put in the server/load balancer SSL port here)
For Protocol, enter http
For Key File, select the RSA private key file which you copied from the web server or load balancer
For Password, enter the password needed for the private key file (if there is not one, leave this field empty)
Click OK
Back on the SSL Preferences page, for SSL debug file, enter C:\rsa_debug.txt
Make sure "Reassemble SSL records spanning multiple TCP segments" is checked
Make sure "Reassemble SSL Application Data spanning multiple SSL records" is checked
Click OK to close the SSL Preferences page
Load your capture file from the web server or load balancer. As long as the SSL session initiation is in the capture, Wireshark should be able to decrypt the HTTPS packets and show the HTTP protocol information.