Debug TLS With wireshark
This guide describes how to capture and decrypt TLS (HTTPS) traffic from applications (e.g., Python, Chrome, cURL). We assume you are monitoring the ‘Ethernet’ interface.
Step 1: Configure Wireshark
- Open Wireshark.
- Select from the menu: ‘Edit -> Preferences…’.
- Expand ‘Protocols’ and select ‘TLS’.
- In the ‘(Pre)-Master-Secret log filename’ field, enter a path for the key file, for example
C:\temp\ssl_keys.txt. - Click OK.
Step 2: Run the Capture
- Open a new terminal (CMD). Set the temporary environment variable:
set SSLKEYLOGFILE=C:\temp\ssl_keys.txtThis variable will be set only for this terminal window and will disappear when you close it. No system restart is required.
- In Wireshark, start capturing on the ‘Ethernet’ interface.
- From the same terminal window, run your script:
python my_script.py- Perform the actions in your script that generate network traffic.
- Stop the capture in Wireshark.
Step 3: Analysis
- In Wireshark’s filter bar, type ‘http’ or ‘http2’ (or ‘ip.addr == X.X.X.X’).
- Instead of ‘TLS Application Data’ packets, you will see decrypted traffic (e.g., ‘HTTP: GET /path…’).
- Click a packet to see its full contents in the bottom panel.
Step 4: Restoring State (Cleanup)
- Close the terminal window. This automatically removes the
SSLKEYLOGFILEvariable. - In Wireshark (‘Preferences -> Protocols -> TLS’), clear the ‘(Pre)-Master-Secret log filename’ field.
- Delete the key file (e.g.,
C:\temp\ssl_keys.txt).
Last updated on