Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Breaking this into "TLS keys" and "how to follow".
TLS background info: Sharkfest '19

09: Debugging TLS issues with Wireshark by Peter Wu / Presentation Video (1:10:44)

Peter's slides available here Debugging TLS issues with Wireshark.

Also check the Wireshark wiki page for TLS. Sections for Embedding decryption secrets in a pcapng file and Preference Settings (hint: tls.keylog_file)

The tshark man page documents the follow option:

-z follow,prot,mode,filter[,range]
Displays the contents of a TCP or UDP stream between two nodes. The data sent by the second node is prefixed with a tab to differentiate it from the data sent by the first node.

prot specifies the transport protocol. It can be one of:

tcp   TCP
udp   UDP
tls   TLS or SSL
http  HTTP streams
http2 HTTP/2 streams
quic  QUIC streams