EddiG/wireshark.md

Last active November 8, 2024 14:45

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/EddiG/dc852072c7ba367149b2f6c98fb540b3.js"></script>
Save EddiG/dc852072c7ba367149b2f6c98fb540b3 to your computer and use it in GitHub Desktop.

How to decrypt SSL/TLS traffic in Wireshark on MacOS

Raw

The main point is to save the SSL/TLS keys those used by the web browser (SSLKEYLOGFILE=/tmp/tmp-google/.ssl-key.log).
In the example below we run brand new instance of Google Chrome (--user-data-dir=/tmp/tmp-google do the trick):
SSLKEYLOGFILE=/tmp/tmp-google/.ssl-key.log /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --user-data-dir=/tmp/tmp-google
Then run the Wireshark and open the Preferences -> Protocols -> SSL, where we put the path to the SSL keys log file into the (Pre)-Master-Secret log filename field.
Now all SSL/TLS traffic from this browser instance will be decrypted.

jerrymannel commented Jun 8, 2021

This was a lifesaver. Thanks.

-J

sirupsen commented Jul 9, 2021

Thanks for this :) If you're using CURL you can pass the exact same environment variable.

More here: https://everything.curl.dev/usingcurl/tls/sslkeylogfile

felixhammerl commented Oct 12, 2021

If you want this permanent, for the entire OS, here's how: https://gist.github.com/felixhammerl/61e096924af34e91b43a930f36d3e1f9

savenas commented Dec 11, 2021

Update: Then run the Wireshark and open the Preferences -> Protocols -> TLS, where we put the path to the SSL keys log file into the (Pre)-Master-Secret log filename field.

kat47 commented Mar 31, 2024

This works. Thanks @EddiG