TLS Decryption in Wireshark

Hey packet gang!

Encryption. We see more and more of it in our packet traces. What used to be open, clear-text, and easily readable is now locked down, secure, and tough to troubleshoot. Hey that is a GREAT thing for security and ensuring that data is protected when it is in motion.

Until something breaks.

Troubleshooting encrypted data streams is very difficult, especially if the problem is not a network or transport layer issue. Even measuring application response is difficult because we cannot always confidently map a client request to a server reply unless we decrypt the session. This is especially true with HTTP/2 where multiple parallel streams are supported within one TCP connection.

So how can we capture the TLS session keys, feed them to Wireshark and decrypt traffic? In this video we will talk about how to do it. Be sure to download the packet capture and keylog files here so you can follow along.

Enjoy!

Chris Greer is a packet analyst for Packet Pioneer. You can contact him here if you have any questions or comments about this content, or other topics around troubleshooting and packet capture.