Taking the jaws to SSL with Wireshark

In debugging a recent API problem, we ran into a situation where high-level debugging just didn’t cut it – we needed to look at raw traffic. So we fired up tcpdump and Wireshark, then ran out for coffee while the packets collected. We came back to find that while tcpdump had collected a couple megabytes of traffic, it was SSL encrypted! Oops… this customer was using HTTPS, not plain HTTP.

Not to fear! Our good friend Wireshark had us covered. SSL traffic is a breeze when you have both the RSA key and a tool to decrypt the packets. Configuring Wireshark to decrypt the SSL streams is pretty straightforward:

1. Load up the packet capture in Wireshark.
2. Obtain the web server’s RSA private key. Make sure it’s in PEM format.
3. In Wireshark, go to Edit->Preferences->Protocols->SSL
4. Add an entry to the RSA keys list. Entries in this list are semi-colon (;) separated, and are formatted as follows:
   An entry: <ip address>,<port>,<unencrypted protocol>, <path to RSA key>
   For example: 192.168.1.34,443,http,/home/simo/mywebsite.key
5. Click OK.

*poof* Everything that Wireshark is able to decrypt using the key and parameters you provided is now presented alongside their unencrypted counterparts. Pretty nifty, huh? For more information, you can check out the docs.