I need to decrypt outgoing traffic that my browser sends to server. I read that I can use Google Chrome browser which will generate all that SSL data stuff and I just would set path to this file in WireShark preferences. I've done it but there's no pane "Decrypted SSL data". My file contains strings like: 1) RSA a50214f50efc0ce0 03038488ef47796daeb5b9d1b849e90852ad3ae03aec71576e34b6517bf1e8914624e819aa31f1e97eaf6b82fe6fe1d3 2) CLIENT_RANDOM 05207c73974878df11a3d00dbfb932036fea9458fc638f92c6cd254409f2e3da 7729dcf9d4da029633bbe7da02302110f8cbe6c211e293c378e7a031e73020fbc8c9a236e07196ead5e10004e21acc26 Is this format correct? Should I change something to make decryption work? Also there was line in a guide I read that it will work only when you have specific Cipher Suite. In my case it is Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f). Will this method work for me? Thanks in advance!
asked 01 Aug '15, 10:19
I followed the instructions from this guy's site --> jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/ and was able to find some packets that would decrypt. What I have found (and its not really much help to you) is that not every frame or packet will be decrypted. If you want to see if yours is working try opening the page I show above using https. Then start a fresh capture with wireshark, and refresh the page above. and then scroll through the frames until you see the tab you are looking for using a display filter of "ssl && tcp".
answered 02 Aug '15, 20:10