Using tshark to Decrypt SSL/TLS Packets

I’m going to walk you through the process of decoding SSL/TLS traffic from a pcap file with the server’s private key using tshark (command-line version of Wireshark). You can, of course, always use ssldump for the same purpose.

I assume you know how SSL/TLS works, and basic understanding of how Wireshark works, and why we use it.

I will start with getting a sample encrypted traffic that includes the handshake part (important for decryption later). For that purpose, we are going to use openssl command to generate a pair of server certificate and key. And then run the HTTPS server with openssl’s s_server command on port 4443 (or any other port you may like) using the generated certificate and key. Then we will issue a GET request to HTTPS server via curl. In the mean time, we will collect the traffic with tshark and will save the data into ssltest.pcap file.

At this point, we should have the file called ssltest.pcap from tshark, and server.crt/server.pem from openssl commands.

Next, we are going to read the pcap file and decode the traffic.

In Wireshark GUI, we can follow “SSL stream” that will dump the ASCII output from the stream. How are we going to do it with tshark?

You will see the output similar to below:

3 responses for Using tshark to Decrypt SSL/TLS Packets

  1. Joe says:

    I am trying to accomplish what you have layed out so in detail but unfortunately my lack of unix and networking experience works against me. I am able to capture packets using tshark on an apache server that hosts a REST api. I first tried on a dev server where https was not enforced and was able to clearly read the packets. On the production server it is https and the packets are encrypted. Could you perhaps assist in which steps from above I will require to decrypt the packets.

  2. Pete says:

    tshark -r ssltest.pcap -V -x
    -o “ssl.debug_file:ssldebug.log”
    -o “ssl.desegment_ssl_records: TRUE”
    -o “ssl.desegment_ssl_application_data: TRUE”
    -o “ssl.keys_list:,4443,http,server.pem”

    The last line specifies the key to decrypt. The format is server,port,protocol,PrivateKey

  3. Jeff Nichols says:

    thank you very much for this information! there’s a lot going on and you make it seem relatively simple with a reproducible example to follow. now to move on to debugging the servers i’m having trouble with 🙂

    i think there is one typo in the “follow” command where the pcap filename you use is “sslsample.pcap” but it should be “ssltest.pcap”. i also wasn’t able to get the follow to work unless i used stream index 0. don’t know if this is a version change or something. i’m using tshark 1.10.14 and libpcap 1.5.3.

  4. Leave a Reply

    Your email address will not be published. Required fields are marked *