How to Decrypt SSL with Wireshark

How to Decrypt SSL with Wireshark

Learning how to decrypt SSL with Wireshark is important if you want to keep an eye on the data that is passing back and forth between the clients, servers, and other connected devices on your network.

Tracking the packets that are moving around back and forth can serve as input to your investigative efforts when you are troubleshooting performance issues on your network, for example.

In this post, we will see how you can efficiently use Wireshark to decrypt SSL data to gain insight into secure packets to see if they hold malicious payloads.

What is Wireshark?

Wireshark logo

Wireshark is a popular packet and protocol analysis tool that allows administrators to examine the contents of any data packet that exists on a network.

Wireshark is a free and open-source tool that scales easily – it can be used on single connections as well as on large networks. Meanwhile, it has a tiny digital footprint that doesn’t add any burden to the network or contribute to deterioration in endpoint performance.

Remember, though, that Wireshark isn’t a Network Intrusion Detection System (NIDS) and can’t be used to warn administrators about suspicious or malicious activities. But, it can be used to investigate them with the help of the software.

It will also not interfere with the packets on the network – it only gauges them.

Some Features of Wireshark

Let’s have a look at some of Wireshark’s features:

  • It is available for UNIX and Windows operating systems (but we will be having a look at the Windows version only in this post).
  • Wireshark can capture live packet data from various network interfaces and on networks that include LAN, Wi-Fi, Bluetooth, and USB connections.
  • It can import packets from text files that contain hex dumps of packet data; users can also save or export captured data packets to several formats for offline analysis.
  • An easy-to-use user interface that displays packets with detailed protocol information and offers packet search, coloring by packet type, and filtering based on many criteria.

What is SSL Encryption?

One way traffic on networks is secured is with the help of the Secure Sockets Layer protocol (SSL). This protocol sits on the application layer (Layer 7) of the OSI model and helps reduce the chances of breaches – unless cybercriminals take explicit steps to work around the SSL encryption.

The 7 layers of the OSI Model

SSL provides security to the data that is transferred between web browsers and host or target servers. It encrypts the link to ensure that all data passed between them remains private and protected from attacks.

What is SSL Decryption?

Organizations must decrypt their SSL traffic to examine the contents of incoming data packets when trying to stop malware and other threats from sneaking into their networks. This process of decrypting the encrypted data packets is known as SSL decryption or SSL Visibility.

The process of SSL decryption involves routing data packets to various inspection tools that examine the packets for threats. The routing criteria can be set or configured on the tools – like Wireshark – that are available in the infrastructure.

SSL encrypt and decrypt using keys

Some Real-Life Applications of Wireshark

By now, you’re probably wondering how Wireshark is used in real-life scenarios. Well, network administrators and cybersecurity professionals often use the tool to trace connections, view the contents of suspect network transactions, and identify the causes and characteristics of surges in network traffic.

But, there’s more:

  • Network administrators use it to troubleshoot latency, bottleneck, or packet drops on their networks
  • Network security engineers use it to examine packets to identify or prevent security problems
  • QA engineers use it to verify network applications as well as check to see if the network transmits data at optimal rates
  • Developers use it to debug protocol implementations to see if all packets get through and, if not, why this is so
  • Every day people use it to learn network protocol internals by “dissecting” data packets to have a look inside

As we can see, Wireshark is an indispensable tool when it comes to investigating data packets – regardless of who is using it.

How to Decrypt SSL with Wireshark

Ok; it’s now time to look into how to decrypt SSL with Wireshark. Here is how to go about it:

Create an Environment Variable – Windows

A key aspect of the SSL protocol is the secret key that is shared between a client and server whenever a secure connection is established. The secret key defines how the content of the communication is defined.

Now, this key is, by default, stored in temporary memory. But, Windows can be reconfigured to store the key in a text file that you can access when decrypting packet contents.

Here’s how to do it:

  • Go to Windows 10 Settings and click on “Advanced Settings”.
  • When a new window opens, look for a button labeled “Environment Variables” and click on it.
  • Click on the “New” button to create a new environment variable.
  • Use the variable name “SSLKEYLOGFILE” and choose a location where you want to store the log file.

Windows 10 - create SSLKEYLOGFILE

Once you have created the environment variable, click OK and exit from Windows settings. You can check your configuration by navigating to the folder you entered where your log file is to be saved and see if sslkeylogfile.log exists.

The KeyLogs file with secret keys

Create an Environment Variable – Linux and Mac

If you are using a Linux or Mac machine, you can follow these steps to create an Environment Variable:

  • When it comes to these operating systems, we need to use nano Text Editor – a WYSIWYG command-line text editor – when setting the SSLKEYLOGFILE environment variable.
  • In Linux, the variable is stored in ~/.bashrc while on a Mac it should be stored in the file  ~/.MacOSX/environment

In Linux, open a terminal and type:

nano ~/.bashrc

In Mac OSX, run Launchpad, click “Other,” and launch a terminal to run:

nano ~/.bash_profile

The next steps apply to both of the operating systems.

At the end of the file, add the following:

export SSLKEYLOGFILE=~/.ssl-key.log

Press Ctrl+X, Y to save your changes.

export SSLKEYLOGFILE nano

Next, close the terminal window and open another one to set the variable.

Type the following command to confirm your settings are correct:

echo $SSLKEYLOGFILE

When you run the command you should see the full path to your SSL key log file.

SSLKEYLOGFILE location on iMac

Once you have confirmed it, make sure you copy the full path to be entered in the Wireshark configuration that we will be looking at next.

Configure Wireshark

Next, it is time to download and install Wireshark, if you haven’t done so already.

To configure Wireshark, you need to:

  • Open Wireshark and navigate to “Edit” and then to “Preferences”.
  • In the “Preferences” window, look for SSL on the left-hand pane and click on it.
  • On the corresponding right-hand pane, set the “(Pre)-Master-Secret log filename” to the location you created earlier to store your log file.

Wireshark configuration SSL for Keylogs

And, that’s it – you are now all set to start using Wireshark.

Testing your Wireshark Installation

Let’s go ahead and see if it all works as expected:

  • First, open your browser and go to a secure website – one that uses HTTPS in its URL. A good example would be your Facebook page.
  • Next, open Wireshark and navigate to “Capture” and click on “Start”.
  • You will see that it immediately starts capturing data packets and shows you details of the information contained in them.
  • You can click on “Stop” to halt the data capturing.
  • Select any data packet and right-click on it. Then select “Follow” and “SSL Stream”. This opens a new window where you will see the header and contents of the data packet. The information they contain has been decrypted for you and is human-readable.
  • Of course, if you visit a website that doesn’t have an SSL certificate, Wireshark will automatically display the header in the middle pane and the contents of the packet in the lowest pane – because no decryption is required when no encryption has been implemented. This should in fact show you how important it is to use SSL on your websites.
  • If you go and open the log file you created earlier, you will also see rows of encryption keys that Wireshark used to decrypt the data packets.
  • In case you are visiting more than one website (on separate tabs, for example), you can filter the data packets using IP addresses if you want to keep an eye on information about a particular website.

And there you have it – you can now send the log data to a central logging mechanism for further analysis or pipeline it to a monitoring platform that can send alerts and notifications if the decrypted content matches flagged patterns.

Reading your Decrypted SSL Packets

Finally, it is time to have a look at what is inside the SSL data packets:

  • In Wireshark, look for a “Server Hello” packet. You will see that it has a description labeled “[SSL Segment of a reassembled PDU]”. Click on the packet, and in the lowest pane, you will notice a few extra tabs.
  • Finally, go to the “Decrypted SSL data” tab and click on it. You will now be able to read the contents of the data packet you’ve chosen.

Looking through the packets you have captured, you will probably have a lot of them. What you should look for are packets related to the TLS-encrypted browsing session. You can do this by first using DNS lookup to find the site’s IP address and then using that address to filter the packages.

As an example, the image below shows a packet from a browsing session on Facebook.

Wireshark - captured data for Facebook

And that’s it; this is how you can decrypt SSL with Wireshark.

Here’s a short video on how you can perform all the steps we have talked about:

SolarWinds Network Performance Monitor (NPM) – the alternative tool

SolarWinds Network Performance Monitor (NPM) with Deep Packet Inspection and Analysis

Although Wireshark is a popular tool for decrypting SSL, it isn’t the only one. For those that want an alternative, there is SolarWinds Network Performance Monitor (NPM) which comes with a Deep Packet Inspection and Analysis tool.

Κey Features:

  • The Deep Packet Inspection and Analysis tool in SolarWinds NPM is ideal for measuring network response times. It helps determine the time taken by packets to travel across a network path as it goes from sender to receiver. It helps to get insights into metrics like application and network response time, traffic volume, and traffic count.
  • Right out of the box, it can monitor metrics for relevant applications like Skype, SQL Server, Facebook, and 1,200 other solutions.
  • This tool automatically classifies network traffic according to category and identifies the associated risk level. The categories include destination server IP addresses, ports used, and measurement of the total and relative volumes of traffic for each type. The feedback can then be used to identify exorbitant levels of non-business traffic that may need to be filtered or eliminated.
  • An important feature is that it helps administrators to go beyond the limited capabilities of programs like Wireshark and achieve a full view across all network interfaces.
  • NPM pulls actual metadata – and not simulated estimates like most analyzers – from sensors across both physical and virtual servers to provide real-time assessments of current end-user impact that is displayed on a dashboard that also gives in-depth insights that can be filtered or converted into reports.
  • The tool integrates with NPM’s automated alert feature to send out updates on issues that may occur as it polls the network every five minutes – or depending on deep packet inspection (DPI) settings for troubleshooting mission-critical assets only.
  • It offers multi-vendor network monitoring and network insights for deeper visibility that are then plotted on intelligent maps for easier display of the network and hotspots that can be drilled into for further in-depth analysis.
  • NPM is a highly scalable tool that can be configured to monitor networks of any size – small to large corporate networks. It is also easy to use as the user interface doesn’t require much time to master and the solution as a whole has a low learning curve.

Try SolarWinds Network Performance Monitor (NPM) with Deep Packet Inspection and Analysis for FREE.

You Know How to Decrypt SSL with Wireshark

You have learned how to decrypt SSL with Wireshark. You can make sure you have a secure network, with the help of Wireshark or the alternative, SolarWinds Network Performance Monitor (NPM) with Deep Packet Inspection and Analysis.

Using either of the tools allows you to inspect all the packets that are moving around the network. Wireshark can help administrators of small-to-medium business networks while SolarWinds NPM with Deep Packet Inspection and Analysis is an ideal solution for larger corporate networks.

We would like your feedback on decrypting SSL with Wireshark. Leave us a comment below.

Leave a Reply