Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

If the search is done over HTTP, without TLS, there's probably nothing to decrypt; you just get the URL they sent, from which, with a little work, you can determine what's being searched for. For example, if you do a search for

breaking tls

the URL will be something such as https://www.google.com/search?q=breaking+tls, and if you do a search for

"breaking tls"

the URL will be something such as https://www.google.com/search?q=%22breaking+tls%22.

If the search is done over HTTP-over-TLS, which it probably will be, then it's not "decrypting Google search", it's "decrypting SSL/TLS" (which is used by more browsers than just Google Chrome - it was invented before Google Chrome even existed!), and the Wireshark support for that is described on the SSL page in the Wireshark Wiki. That requires that you supply some additional information, which might be possible to get in order to decrypt SSL/TLS sessions from a machine you control, but will probably be very difficult if not impossible to get for SSL/TLS sessions from a machine that you don't control.