Gaining More Visibility With Wireshark
Wireshark is a useful tool for anyone who works with products that use computer networks. But many times, there’s also TLS involved (I hope there is :)), which makes Wireshark much less useful since you can’t see any application layer data in a decrypted form. How to decrypt that traffic? Let’s see that in this short post.
When I start capturing network traffic in Wireshark, I wouldn’t typically see much:
I can assume from the transport layer that this is HTTP traffic coming to my network card. But I can’t read any of the data because they are TLS encrypted.
However, there’s a way to gain more visibility by decrypting such trafic.
It takes the following steps:
- setting a
- setting secret log filename in Wireshark in TLS settings
That’s not that difficult or lengthy.
I’ll first export the env variable with the following value:
To check this is set correctly, the variable needs to be listed when I check what variables will be shared with subshells:
$ env | grep SSL
If it returns what I set up above, I can go on.
If I now open a browser and navigate to some site using https, I should be able to see content in
Now I only need to set this file in TLS settings in Wireshark. I go to Preferences => Protocols => TLS => and set it as the (Pre)-Master-Secret log filename:
Wireshark should be now able to decrypt this type of TLS traffic going through a browser.
For example, I can see the same traffic as in the first screen in this article, but in a decrypted form:
I can see it was an icon coming to my browser.
Wireshark can bring more visibility to testing, which is sometimes helpful when trying to understand how some communication works or what data are sent back anf forth. It’s one of the tools I sometimes use in testing.