Skip to main content
Version: v8

KB: 1070


How to decrypt SSL/TLS traffic using Wireshark and private keys?

Resources

Download the packet capture (.pcap)

Download the SSL Key (.crt)

Pre-Requisites

  1. Wireshark software
  2. Private Key: You need the private key of the server used in the SSL/TLS connection. This method only works for protocols like HTTPs where you have access to the private key.
  3. The RSA private key file is in PEM format.
Note

Wireshark primarily supports RSA private keys for decrypting SSL/TLS traffic. However,You cannot decrypt Diffie-Hellman Ephemeral (DHE) key exchanges. Therefore, traffic using these ciphers will not be decoded.

For more information regarding SSL/TLS DECRYPTION please refer to KB: 1077 SSL/TLS DECRYPTION

Steps

  1. Load the Captured File

    1. Open Wireshark and load your .pacp
  2. Configure the SSL/TLS Preferences

    1. Go to Edit > Preferences
    2. Expand the protocols list on the left side.
    3. Scroll down and select TLS or SSL (depending on your Wireshark version)

    kb-1070

  3. Add the Private key

    1. In the same preferences window under TLS or SSL, find the RSA keys list.

    2. Click on the Edit button

    3. Add a new entry with the following details:

      1. IP address: The IP adress of the server.
      2. Port: The port number(e.g, 443 for HTTPS)
      3. Protocol: Typically, HTTP
      4. Key File: Browse and select the server's private key file
      5. Password: If the key file is encrypted, enter the password.

    kb-1070

  4. View Decrypted Data

    1. Wireshark should now automatically decrypt the SSL/TLS traffic using the private key.
    2. You can inspect the decrypted packets, including HTTP requests and responses, directly in Wireshark .