November 26, 2014

Using tshark to decrypt SSL trafic

  • Get private key of the SSL server in PEM/PKCS12 format ( if conversion is required see link below ) and save only key in to a file
  • tcpdump/snoop capture file to be decrypted
  • check tshark default preferences relating to SSL


  • run tshark with ssl.keys_list parameter,as below to read SSL decrypted data
  •  ssl.keys_list variable  has 4 values: x.x.x.x (IP), port,upper layer protocol, private RSA key filename

Info on key conversions and more at http://wiki.wireshark.org/SSL

No comments:

Post a Comment