This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to decrypt ssl traffic with tshark 1.6?

2

With previous versions (1.4.x) of tshark I've used the ssl.key_list option, in the following way:

tshark.exe -r input.pcap -o ssl.keys_list:172.30.2.107,443,http,private.key  -R "http.request" -T fields -e frame.number -e "tcp.stream"

But this seems to no longer work, probably because with new versions of wireshark, ssl keys are specified in a file of their own and not under the preferences file. So how should I specify the ssl keys for tshark in 1.6? Must I edit the ssl config file? Is it a bug?

asked 27 Jun '11, 06:51

r0u1i's gravatar image

r0u1i
617712
accept rate: 0%

edited 27 Jun '11, 06:51


One Answer:

1

New version Wireshark(v1.6x) put the ssl.key_list to a file named ssl_keys which is in personal profile folder, copy the string and paste under the "-o ssl.keys_list:" option, the difference between the new version and old version is the "ssl.key_list" option format, new version should use UAT string, following is a command line which works for me.

tshark -r private_bob.pcap -o ssl.keys_list:"192.168.3.206","443","http","e:\education\ssl\wireshark_ssl\private-key.pem" -o ssl.debug_file:"e:\temp\ssl-debug.log" -V -R http

It seems only work with key file in PEM format without passphrase, I can't use a p12 format cert file with private key even I provide the passphrase for the private key like in Wireshark.

answered 25 Aug '11, 18:36

Raymond%20Wang's gravatar image

Raymond Wang
411
accept rate: 100%

edited 09 Feb '12, 05:06

grahamb's gravatar image

grahamb ♦
19.8k330206

Check the option string in ssl_keys file, I find all the backslash in the key file path are lost in my answer.

(25 Aug '11, 18:41) Raymond Wang

thanks, and sorry for the late response. Works in 1.6.2, but seems that it doesn't work anymore in 1.6.5 ... investigating further

(09 Feb '12, 04:07) r0u1i

To display the "\" character in your answer, you need to "escape" it with another backslash. You also need to prefix an underscore with a backslash. I've fixed the backslashes and underscores in your answer.

(09 Feb '12, 05:02) grahamb ♦

the private-key.pem is on web-server? i want use to call the remote server.... fiddler dont need any key file,but that only support windows.

(07 Sep '15, 00:30) zhylninc