Debug TLS With wireshark

How to Debug Encrypted Traffic (TLS/HTTPS) with Wireshark

This guide describes how to capture and decrypt TLS (HTTPS) traffic from applications (e.g., Python, Chrome, cURL). We assume you are monitoring the 'Ethernet' interface.

Step 1: Configure Wireshark

  • Open Wireshark.

  • Select from the menu: 'Edit → Preferences…​'.

  • Expand 'Protocols' and select 'TLS'.

  • In the '(Pre)-Master-Secret log filename' field, enter a path for the key file, for example C:\temp\ssl_keys.txt.

  • Click OK.

Step 2: Run the Capture

  • Open a new terminal (CMD). Set the temporary environment variable:

set SSLKEYLOGFILE=C:\temp\ssl_keys.txt

IMPORTANT
This variable will be set only for this terminal window and will disappear when you close it. No system restart is required.

  • In Wireshark, start capturing on the 'Ethernet' interface.

  • From the same terminal window, run your script:

python my_script.py

  • Perform the actions in your script that generate network traffic.

  • Stop the capture in Wireshark.

Step 3: Analysis

  • In Wireshark’s filter bar, type 'http' or 'http2' (or 'ip.addr == X.X.X.X').

  • Instead of 'TLS Application Data' packets, you will see decrypted traffic (e.g., 'HTTP: GET /path…​').

  • Click a packet to see its full contents in the bottom panel.

Step 4: Restoring State (Cleanup)

  • Close the terminal window. This automatically removes the SSLKEYLOGFILE variable.

  • In Wireshark ('Preferences → Protocols → TLS'), clear the '(Pre)-Master-Secret log filename' field.

  • Delete the key file (e.g., C:\temp\ssl_keys.txt).

05 Nov 25 13:53 UTC
Edit this page