Wireshark shows decrypted SSL contents as SSL instead of cleartext


Article ID: 168759


Updated On:


SSL Visibility Appliance Software


Decrypted SSL traffic is sent to the Copy Port. You have Wireshark running to perform packet captures on the Copy Port. However, Wireshark identifies the captured traffic as being SSL.


By default, Wireshark decodes traffic on TCP-443 as SSL.


When viewing decrypted SSL flows, TCP-443 should be decoded as HTTP. To do this :

1. Select a packet that has TCP-443 as the Source Port or Destination Port.
2. Right click and choose Decode As.
3. On the Transport tab, select Port 443 from the drop-down box, regardless of whether it is Source or Destination.
4. In the right column, choose HTTP from the list.
5. Click OK.

Alternatively, if you select a decrypted packet on Wireshark, right-click, and choose Follow TCP Stream, you will be able to see the contents in cleartext.