Decrypting HTTPS Traffic With Wireshark On Windows

31 October 2012

Or also known as, holy cow Wireshark is crazily obtuse and information dense!

While not properly using Fiddler yesterday and trying to come up with alternatives, I sorted out how to inspect HTTPS traffic and look at the packets with Wireshark; it's actually not too hard, but loading up Wireshark for the first time is extremely daunting.

The basic instructions can be found in this lovely Citrix blogpost; the screenshot is of an older version of Wireshark, but you should be able to figure out the slightly-more-user-friendly-than-just-a-text-field version of the RSA keys list.

What the blogpost doesn't cover is how to get a .pfx file (common in Windows-land) into the PCKS8 RSA format that Wireshark is expecting. A few simple steps:

1) Download the Windows version of OpenSSL here (note the general disclaimer on sanctions relating to exporting cryptography...stuff. I am not liable if you use anything in this post to break any kind of law, anywhere...)

2) Use OpenSSL to convert your pfx to RSA:

  • openssl pkcs12 -in mycert.pfx -out mycert.pem -nodes
  • openssl rsa -in mycert.pem -out newcert.pem

Your newcert.pem file should contain "-----BEGIN RSA PRIVATE KEY-----" if you open it in a text editor.

If you're not entirely sure that you've got Wireshark set up to decrypt your HTTPS traffic correctly, you can take a look at the SSL debug file at the location you specified; the very first line should indicate whether or not the SSL decryption information required was loaded successfully or not.

Inspect away!

Tags: HTTPS, pcks8, pfx, RSA, Wireshark

Add a Comment

No Comments