Wireshark UI - No Decrypted Data but Shown in JSON
Hi All,
Purely education for myself here. I've used Wireshark on and off and this one is a bit of a new scenario for me. I've been using Wireshark to troubleshoot some WebRTC usecases with a WebSocket Signalling Channel. Today I came across something I hadn't seen before and wondered if it is normal and if yes why.
I setup my SSL KeyLog file and configure Wireshark to point to it. Launched Chrome and voila, I can see my TLS traffic as I expect.
However, as I was doing my work, I noticed that some frames do not have the TLS decrypted data, which I largely understand we can't decrypt all flows. However, today i so happen to export my packets into a JSON and file and in the JSON file the decrypted TLS data exists!
This got me thinking, has this always been the case and I didn't know?
Screenshot from Wireshark UI:
Output from JSON:
{
"_index": "packets-2024-12-27",
"_type": "doc",
"_score": null,
"_source": {
"layers": {
"frame": {
"frame.section_number": "1",
"frame.interface_id": "0",
"frame.interface_id_tree": {
"frame.interface_name": "eno1"
},
"frame.encap_type": "1",
"frame.time": "Dec 27, 2024 11:11:16.589017784 EST",
"frame.time_utc": "Dec 27, 2024 16:11:16.589017784 UTC",
"frame.time_epoch": "1735315876.589017784",
"frame.offset_shift": "0.000000000",
"frame.time_delta": "0.001755706",
"frame.time_delta_displayed": "0.001755706",
"frame.time_relative": "385.975212198",
"frame.number": "3777",
"frame.len": "787",
"frame.cap_len": "787",
"frame.marked": "0",
"frame.ignored": "0",
"frame.protocols": "eth:ethertype:ip:tcp:tls:http:websocket:data-text-lines",
"frame.coloring_rule.name": "TCP",
"frame.coloring_rule.string": "tcp"
},
"eth": {
"eth.dst": "00:23:24:9d:49:1b",
"eth.dst_tree": {
"eth.dst_resolved": "GProComputer_9d:49:1b",
"eth.dst.oui": "8996",
"eth.dst.oui_resolved": "G-Pro Computer",
"eth.dst.lg": "0",
"eth.dst.ig": "0",
"eth.addr": "00:23:24:9d:49:1b",
"eth.addr_resolved": "GProComputer_9d:49:1b",
"eth.addr.oui": "8996",
"eth.addr.oui_resolved": "G-Pro Computer",
"eth.lg": "0",
"eth.ig": "0"
},
"eth.src": "64:97:14:01:32:92",
"eth.src_tree": {
"eth.src_resolved": "eero_01:32:92",
"eth.src.oui": "6592276",
"eth.src.oui_resolved": "eero inc.",
"eth.src.lg": "0",
"eth.src.ig": "0",
"eth.addr": "64:97:14:01:32:92",
"eth.addr_resolved": "eero_01:32:92",
"eth.addr.oui": "6592276",
"eth.addr.oui_resolved": "eero inc.",
"eth.lg": "0",
"eth.ig": "0"
},
"eth.type": "0x0800",
"eth.stream": "0"
},
"ip": {
"ip.version": "4",
"ip.hdr_len": "20",
"ip.dsfield": "0x00",
"ip.dsfield_tree": {
"ip.dsfield.dscp": "0",
"ip.dsfield.ecn": "0"
},
"ip.len": "773",
"ip.id": "0x92e0",
"ip.flags": "0x02",
"ip.flags_tree": {
"ip.flags.rb": "0",
"ip.flags.df": "1",
"ip.flags.mf": "0"
},
"ip.frag_offset": "0",
"ip.ttl": "244",
"ip.proto": "6",
"ip.checksum": "0x36c6",
"ip.checksum.status": "2",
"ip.src": "3.81.241.8",
"ip.addr": "3.81.241.8",
"ip.src_host": "3.81.241.8",
"ip.host": "3.81.241.8",
"ip.dst": "192.168.5.74",
"ip.addr": "192.168.5.74",
"ip.dst_host": "192.168.5.74",
"ip.host": "192.168.5.74",
"ip.geoip.src_summary": "Ashburn, US",
"ip.geoip.src_summary_tree ...