This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Decrypting SSL using Wireshark Linux vs Windows

1

I'm working on decrypting my own traffic that gets sent through Wireshark and I've been following this guide for reference. I have been using the SSLKEYLOGFILE environment variable and I can get the key files populated on both Windows 8.1 and Ubuntu 14.04 LTS.

The test I'm using is logging on to Facebook and looking for the Decrypted SSL Data tab on Wireshark. It appears while running Windows, but it's nowhere to be found on Linux. I've also noticed that in the Protocol tab, SSL will appear among all the protocols in Windows, but it's nowhere to be found on the Linux version. Both still show TLSv1.2, so I don't believe I'm connecting to an unsecured version of Facebook.

The Linux version of Wireshark is compiled with GnuTLS 2.12.23, so that is not the issue either. Can anyone help?

asked 27 Oct '15, 09:10

testmagee's gravatar image

testmagee
26116
accept rate: 0%

What's the version of Wireshark on Windows and Linux?

(27 Oct '15, 09:40) Kurt Knochner ♦

My version is 1.10.6 on Linux and 1.12.8 on Windows.

(27 Oct '15, 10:24) testmagee

One Answer:

3

Wireshark 1.10.x has some bugs that might prevent successful decryption of SSL/TLS data. Version 1.12 has seen many improvements in that area and is recommended. On Ubuntu 14.04, you can install the wireshark-dev/stable PPA:

sudo apt-add-repository ppa:wireshark-dev/stable
sudo apt-get update
sudo apt-get upgrade

That repository is currently maintained by the Debian maintainer of Wireshark. The current version in that repo is wireshark 1.12.8+g5b6e543-2~trusty1.

answered 29 Oct '15, 02:53

Lekensteyn's gravatar image

Lekensteyn
2.2k3724
accept rate: 30%

Thank you so much. I previously installed from the Ubuntu software center. I guess it didn't have the most recent version. This solved my issue.

(29 Oct '15, 14:52) testmagee