Skip to content

Instantly share code, notes, and snippets.

@EddiG

EddiG/wireshark.md

Last active March 31, 2024 10:34
Show Gist options
  • Star 33 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
  • Save EddiG/dc852072c7ba367149b2f6c98fb540b3 to your computer and use it in GitHub Desktop.
Save EddiG/dc852072c7ba367149b2f6c98fb540b3 to your computer and use it in GitHub Desktop.
Download ZIP
How to decrypt SSL/TLS traffic in Wireshark on MacOS
Raw
wireshark.md

The main point is to save the SSL/TLS keys those used by the web browser (SSLKEYLOGFILE=/tmp/tmp-google/.ssl-key.log).
In the example below we run brand new instance of Google Chrome (--user-data-dir=/tmp/tmp-google do the trick):
SSLKEYLOGFILE=/tmp/tmp-google/.ssl-key.log /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --user-data-dir=/tmp/tmp-google
Then run the Wireshark and open the Preferences -> Protocols -> SSL, where we put the path to the SSL keys log file into the (Pre)-Master-Secret log filename field.
Now all SSL/TLS traffic from this browser instance will be decrypted.

@jerrymannel
Copy link

This was a lifesaver. Thanks.

-J

@sirupsen
Copy link

sirupsen commented Jul 9, 2021

Thanks for this :) If you're using CURL you can pass the exact same environment variable.

More here: https://everything.curl.dev/usingcurl/tls/sslkeylogfile

@felixhammerl
Copy link

If you want this permanent, for the entire OS, here's how: https://gist.github.com/felixhammerl/61e096924af34e91b43a930f36d3e1f9

@savenas
Copy link

savenas commented Dec 11, 2021

Update: Then run the Wireshark and open the Preferences -> Protocols -> TLS, where we put the path to the SSL keys log file into the (Pre)-Master-Secret log filename field.

Screenshot 2021-12-12 at 00 29 51

@kat47
Copy link

kat47 commented Mar 31, 2024

This works. Thanks @EddiG

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment