1 | initial version |
TShark reads a SSLKEYLOGFILE to decrypt the traffic. It does not create it. Only the endpoints of a TLS connection can do that.
As noted in the documentation:
The key log file is a text file generated by applications such as Firefox, Chrome and curl when the SSLKEYLOGFILE environment variable is set. To be precise, their underlying library (NSS, OpenSSL or boringssl) writes the required per-session secrets to a file. This file can subsequently be configured in Wireshark (Using the (Pre)-Master Secret).
So you need to set up the client (browser) or server to log the session keys.
The option tls.debug_file
specifies the debug log file. That file is (over)written with log entires.
2 | No.2 Revision |
TShark reads a SSLKEYLOGFILE to decrypt the traffic. It does not create it. Only the endpoints of a TLS connection can do that.
As noted in the documentation:
The key log file is a text file generated by applications such as Firefox, Chrome and curl when the SSLKEYLOGFILE environment variable is set. To be precise, their underlying library (NSS, OpenSSL or boringssl) writes the required per-session secrets to a file. This file can subsequently be configured in Wireshark (Using the (Pre)-Master Secret).
So you need to set up the client (browser) or server to log the session keys.
The option tls.debug_file
specifies the debug log file. That file is is (over)written with log entires. entries.