Decrypt TLS sessions using Wireshark
search cancel

Decrypt TLS sessions using Wireshark


Article ID: 173402


Updated On:


ProxySG Software - SGOS Cloud Secure Web Gateway - Cloud SWG


You would like to decrypt TLS sessions in Wireshark to inspect the tunneled protocols. For scenarios with a forward proxy deployment, the technique described here can provide decrypted SSL packet capture between the client and proxy.


Applications like Mozilla Firefox and Google Chrome support symmetric session key logging to a file. Wireshark has the functionality to read the session keys from this file and use them to decrypt the TLS sessions.

Configuration Steps

  1. In Windows, navigate to Control Panel > System and Security > System then click Advanced System Settings

  2. On the System Properties dialog that appears, click Environment Variables

  3. Click New... to create a new user variable and then fill out the dialog with the variable name SSLKEYLOGFILE and set the value to the file path you would like keys written to, e.g: C:\temp\sslkeylog.log.

  4. Restart the computer
  5. In Wireshark, navigate to Edit and open Preferences

  6. Expand the Protocols menu

  7. If you are using Wireshark 2.9+, navigate to the TLS protocol. If you are using a previous version of Wireshark, navigate to SSL
  8. For (Pre)-Master-Secret log filename, click Browse then select the log file you created for step (3).

  9. You will now notice packets containing the protocol under the TLS layer. In addition, there will be a Decrypted TLS tab at the bottom of the packet bytes view.