Wireshark doesn't decrypt secure websocket

asked 2019-08-02 13:12:02 +0000

leandre gravatar image

I have an application that uses secure websocket (wss), and i want to record a session, using Wireshark.

I know the fact that Wireshark display wss as TLSv1.3 (or 1.2), and i'm using sslkeylogfile with chromium to decode packets. My keylogfile is not empty, so chromium is using it. I have configured Wireshark to use that file for decoding (Preferences->SSL->(Pre)-Master-Secret).

In a past experience, I had a capture decoded and I was able to see websockets. But now, the only thing i can see is TLSv1.3 with a decrypted SSL part on the bottom, but not websocket. Was there a change on Wireshark ?

edit retag flag offensive close merge delete


I confirm that there is no obvious way to see websocket traffic in Version 3.2.0 (v3.2.0-0-ge0ed4cfa3d72) . The protocol column does not show "Websocket" (as it does without TLS) but only TLSv1.2. In the bottom tab "Decrypted TLS" one can see the clear text data from server to client, but data from client to server is XORed and therefore not possible to read. I'm new to this forum, don't have 60 points, therefore I can't attach a screenshot.

Michael Enke gravatar imageMichael Enke ( 2019-12-19 14:51:45 +0000 )edit

@Michael Enke@leandre : I'm facing an issue where TLS traffic with http protocol is displayed properly in DecryptedTls window. Whereas Websocket messages especially from the frames from client with MASK bit set is not displayed correctly in DecryptedTls window only for websocket protocol.

technogeek12 gravatar imagetechnogeek12 ( 2020-11-23 08:17:37 +0000 )edit