Reputation: 1699
How to view Encrypted Application Data in Wireshark
I have written an Android app to get JSON data via HTTPS and I want to use Wireshark to capture the data.
How can I view the Encrypted Application Data?
Upvotes: 4
Views: 32248
Answers (2)
Reputation: 34423
Using a Key Log File
Wireshark can decrypt TLS data if you provide a file containing the master secret that's exchanged during a TLS connection.
Define the location of the log file using an environment variable:
export SSLKEYLOGFILE=~/.ssl-key.log
You can make this permanent by putting that line into your .bashrc or bash_profile but keeping those secrets lying around poses a security risk.
Then, point Wireshark to that file:
- Go to preferences (press Ctrl+Shift+p) → Protocols → TLS (no need to scroll all the way down, you can type "TLS")
- Enter the path of the log file in "(Pre)-Master-Secret log filename"
Start capturing packets with Wireshark, create some TLS traffic (with curl for example), and inspect the decrypted data:
Your SSLKEYLOGFILE will contain lines like these:
CLIENT_RANDOM c1299911e65097c367c0124fb97548f81b618cbdc9c270c10a350c4fd39f3eb6 0d7523a42610316250b7a72fe2881daa6aff1bedf5955c64a747fc43bd93cbf1bf3650eeabb8f47b350feaedd7209952
Here are some resources regarding TLS in Wireshark:
The Wireshark version in this answer is 3.4.6 running on Arch Linux 5.12.9.
Upvotes: 3
Related Questions
- Decrypt TLS traffic from mobile application
- Decrypting SSL/TLS traffic from a app with Wireshark
- View plain response (from HTTPS) in WireShark
- Cannot decrypt HTTPS Traffic with Wireshark
- Decrypt client-side SSL traffic in Wireshark generated by Java HttpsURLConnection
- How to decrypt service to service SSL traffic using wireshark?
- Decrypting HTTPS traffic in Wireshark not working
- How to see the encrypted key in wireshark, during ssl key exchange?
- Is it possible to decrypt Wireshark packages using web browser certificates?
- Read the information my computer is sending on an ssl connection