This is our old Q&A Site. Please post any new questions and answers at

I understand it's possible to do SSL decryption with tshark by giving a key rule with the ssl.keys_list preferences option. However I've only seen examples with a single key, and I can't find any real documentation for it. Is it possible to use tshark with multiple key rules, like you can in the Wireshark GUI?

asked 26 Feb '13, 23:03

rakslice's gravatar image

accept rate: 0%

edited 26 Feb '13, 23:03

It's possible, and there are a couple of ways to go about it.

First, you can set the preferences on the CLI using the -o flag and a semi-colon to separate them like this:

tshark -o "ssl.keys_list:ip1,port1,proto1,key1;ip2;port2;proto2;key2" ... (rest of your command)

the "key" field is the path to the RSA Key file somewhere on disk.

Second, starting I think in Wireshark 1.8, whenever you configure SSL Decodes in the GUI, they are written to a file on disk in your Wireshark preferences directory (mac/linux that's ~/.wireshark/).

If you look in there at the ssl_keys file, you'll see all your keys listed. tshark respects this file when starting up, so you could configure multiple keys in the GUI, and then using tshark, it will inherit all of those same keys BY DEFAULT and you won't need to use the -o flag.

Have fun!

permanent link

answered 27 Feb '13, 06:40

zachad's gravatar image

accept rate: 21%


One additional note: If you specify more than one key for a given IP address and port combination, only the last will be tried.

(06 Mar '13, 18:50) rakslice
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 26 Feb '13, 23:03

question was seen: 3,191 times

last updated: 06 Mar '13, 18:50

p​o​w​e​r​e​d by O​S​Q​A