This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How can Wireshark decrypt SSL on same client PC with browser?

0

Is there a way to pair up my instance of Wireshark with the Browser running on my PC so that I can decrypt my own SSL sessions? I'm not trying to feed other captures to my instance of Wireshark. It just seems that on the same PC that is able to conduct the SSL session there should be a way for Wireshark to be able to have access to the decrypted payloads. I'd really like to pair this up with Firebug/Firefox so that I can make sense of SSL/HTTPS packet flows for multi-object web page performance analysis. Today I'm unable to precisely analyze the packets for the elements conducted within such a TCP session.

asked 14 Mar '12, 07:11

RichardBerke's gravatar image

RichardBerke
1222
accept rate: 0%

I saw the posts about SSL decryption when you have the private keys manually. I don't have and can't get them. The servers are Production, and sometimes (often) not in my company. Somehow my Browser is able to conduct sessions okay with the servers I aim to. I want somehow to have Wireshark's rich TCP related troubleshooting of the packets of my own system, that my own system already knows how to interpret up at the Browser. I don't see how to do that. Maybe there isn't a way today (Wireshark 1.7).

(14 Mar '12, 12:21) RichardBerke

One Answer:

2

As long as you have the private key of the server, you can decrypt the session. See the wiki page SSL for more info, or see the answers to this question which apparently allow you to do this with the "openssl s_client" output.

Edit. Presuming your comment was in response to this answer, I've found some more info:

There is a reason that it's difficult to get access to the contents of a protected SSL/TLS conversation and it's called security :-)

The question I linked to shows that using the open ssl client utility instead of a browser allows the export of key info that can be used to decrypt the conversation.

The info in bug 4349 also indicates that a specially built debug version of Firefox (or more specifically the NSS library used by FF) can output key info allowing Wireshark to decrypt the conversation.

Another option might be to install Fiddler, a web debugging proxy, but I don't think this will allow Wireshark captures of the decrypted conversation on Windows, but might on other OS's that can capture on 'loopback' connections.

answered 14 Mar '12, 07:30

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

edited 14 Mar '12, 14:17

Thanks grahamb. I'll read up some more about OpenSSL and getting the key so Wireshark can use it. That thread about bug 4349 sounds interesting, too.

I understand Fiddler is/provides a proxy, but I'd expect Wireshark to only see packets right before the network card, where they'd still be encrypted.

Richard

(15 Mar '12, 04:55) RichardBerke

I've converted your "answer" to a comment as that's how this site works, see the FAQ.

The way a proxy works it will create a socket on the local machine (127.0.0.1) that the browser connects to. On Windows this traffic is nigh on impossible to capture, but I think can be done on other OS's.

(15 Mar '12, 05:42) grahamb ♦