Skip to content

Debug TLS With wireshark

This guide describes how to capture and decrypt TLS (HTTPS) traffic from applications (e.g., Python, Chrome, cURL). We assume you are monitoring the ‘Ethernet’ interface.

Step 1: Configure Wireshark

  • Open Wireshark.
  • Select from the menu: ‘Edit -> Preferences…’.
  • Expand ‘Protocols’ and select ‘TLS’.
  • In the ‘(Pre)-Master-Secret log filename’ field, enter a path for the key file, for example C:\temp\ssl_keys.txt.
  • Click OK.

Step 2: Run the Capture

  • Open a new terminal (CMD). Set the temporary environment variable:
set SSLKEYLOGFILE=C:\temp\ssl_keys.txt
This variable will be set only for this terminal window and will disappear when you close it. No system restart is required.
  • In Wireshark, start capturing on the ‘Ethernet’ interface.
  • From the same terminal window, run your script:
python my_script.py
  • Perform the actions in your script that generate network traffic.
  • Stop the capture in Wireshark.

Step 3: Analysis

  • In Wireshark’s filter bar, type ‘http’ or ‘http2’ (or ‘ip.addr == X.X.X.X’).
  • Instead of ‘TLS Application Data’ packets, you will see decrypted traffic (e.g., ‘HTTP: GET /path…’).
  • Click a packet to see its full contents in the bottom panel.

Step 4: Restoring State (Cleanup)

  • Close the terminal window. This automatically removes the SSLKEYLOGFILE variable.
  • In Wireshark (‘Preferences -> Protocols -> TLS’), clear the ‘(Pre)-Master-Secret log filename’ field.
  • Delete the key file (e.g., C:\temp\ssl_keys.txt).
Last updated on