How to Decrypt Https in Wireshark

by: George El., February 2019, Reading time: 1 minute

In this post, I will show you how to decrypt an https session with wireshark. These instruction will only work with windows 10 and chrome or firefox browser.

First I am going to browse to udemy.com and get a capture with wireshark. You see that wireshark cannot see above tcp layer because it is encrypted with TLSv1.2

if you want to download the pcap files click here. If you want to see a larger image, do right click, open in new tab.

ftp control

Now you have to go to control panel, system, advance system settings, Environment Variables. There you have to create a new user variable called SSLKEYLOGFILE. As value you have to specify a log file where the ssl keys will stored. In my case I chose sslkey.log in my user document sslkey folder.

ftp control

Now you have to go to wireshark, edit, preferences, protocols, and find ssl. You specify there the log filename that you used in the previous step.

ftp control

Now lets visit again the site. This time we see that in packet 14, we can see inside the http headers

ftp control

comments powered by Disqus