0 Replies Latest reply on Dec 24, 2013 11:14 AM by ijahnke

    How to decrypt SSL traffic with wireshark

    ijahnke

      Getting a packet capture is great and all, however, its frustrating when the information you need is encrypted. To solve this you will need to grab the private key in pem format and load it into wireshark.

       

       

      This is using wireshark 1.6.5

       

      • Open wirshark and go to edit -> preferences

        prefrences.png
      • In the preferences page on the left colum expand Protocols and select SSL
        prefs_protocols.png
      • Click the Edit button in the top right for RSA keys list
        prefs_prots_ssl_edit.png
      • Click on New to create a new SSL Decrypt Profile (You will need to create a profile for every unique IP address and port you would want to test)
        ssl_edit_new_profile.png
      • Add the information
        • IP address: This is the IP of the device that uses the private key
        • Port: Add the port that you want to test (80,443,25,etc...)
        • Protocol: http, smtp, ldap, etc....
        • Key File: the private key in pem format
        • Password: Only if the key is password protected
          ssl_edit_new_profile_settings.png
      • Click OK twice and load the packet capture
      • in the display pane of the packet capture (where you can see all the packets) right click on a packet for the connection you want to view and select "Follow SSL Stream"