Networking/Computing Tips/Tricks

Rate this content:
4 of 5 - 6 votes
Thank you for rating this article.

Hi everyone!  Being able to decrypt the encrypted contents of packet captures is very important if you want to troubleshoot anything above Layer 4.  This is even more important today as the network is evolving to QUIC where everything is encrypted.

Check out these great references as well: 

 Our custom profiles repository for Wireshark
 Our Udemy course on Wireshark 
 Our Udemy course on Wireless Packet capture

You have probably watched my YouTube video on this for Windows, but I often get asked how is it done on MAC or on Linux.  So I thought what I would do is document the process here for all three operating systems.  There are two parts to this process.  Part 1 is to set up the operating system, and Part 2 is to configure Wireshark.

First, let's start with the Windows process of logging the SSL session keys.  Keep in mind, this is using the client side, not the server side.

WINDOWS and FIREFOX or CHROME

To log the SSL session keys on a Windows client, we have to set the SSLKEYLOGFILE. 

Part 1

To do this follow these steps:

  1. Log in to your Windows system
  2. Close any/all Firefox and Chrome browsers
  3. Click on the Windows icon at the bottom left corner of your screen.
  4. Type "env" to Open environment variables
  5. Click on the "Environment variables..." button
  6. In the Environmental Variables pop-up window, under User variables for {user name}, select "New"
  7. For the Variable name, enter the following name: "SSLKEYLOGFILE" (everything between the quotes)
    For Variable value, enter the full path name for the SSL log file.  You can click on the Browse Directory or Browse File buttons to navigate to the place you wish.
  8. For example: C:\Users\user1\Desktop\sslkeylog.txt
    Note: You must have write-access to the location you enter here.

  9. Select "OK"

  10. Reboot your system.  You may want to check these settings are in place after the reboot.
  11. Start Wireshark
  12. Start Firefox or Chrome
  13. Open a web site like www.cellstream.com in the web browser.  You will see that the SSL session keys are now being logged in the file you specified in Step 8.  If they are not, go back and repeat the first 8 steps.
  14. You can now stop the packet capture, and, if you want, save the file to your client system.

You may need to filter your capture to actually see that the HTTPS content is encrypted. 

Part 2

To enable Wireshark to use the keys in the log file, you will follows these steps:

  1. Go to Edit > Preferences > Protocols > TLS
    Note: For Wireshark versions earlier than 3.x, go to Edit > Preferences > Protocols > SSL.
  2. For the (Pre)-Master-Secret log filename, select "Browse" and locate the SSL log file you created, or just enter the path and file name.
  3. Select "OK"
  4. In the Wireshark packet window, select previously encrypted packets to view unencrypted application data.

After you perform part 1 and part 2 procedures, you can delete the SSL log file to revert the changes.

MAC OS and FIREFOX or CHROME

To log the SSL session keys on a MAC OS client, we have to set the SSLKEYLOGFILE. 

Part 1

  1. Log in to your MAC OS system
  2. Ensure any/all Firefox and Chrome browsers are closed

    Note: In the MAC, applications may run in the background. You must use Force Quit from the Apple menu in the upper-left corner of your screen to force an application to quit

  3. Launch a MAC OS X terminal for command line access 
  4. Set the SSLKEYLOGFILE environment variable for your account by using the following command syntax:
    export SSLKEYLOGFILE="/Users/<account_name>/sslkeylogfile.log"

    For example:

    export SSLKEYLOGFILE="/Users/awalding/sslkeyfile"
  5. Start Wireshark or even tcpdump, and start the capture on the appropriate interface
  6. Start Firefox or Chrome from the same terminal using the following command syntax:
    open /Applications/<browser>

    You must start the browser from the same command terminal because the session variable is set only on the terminal.

    For example:

    open /Applications/Firefox
  7. Open a web site like www.cellstream.com in the web browser.  You will see that the SSL session keys are now being logged in the file you specified in Step 4.  If they are not, go back and repeat the first 6 steps.
  8. You can now stop the packet capture, and, if you want, save the file to your client system.
  9. You may need to filter your capture to actually see that the HTTPS content is encrypted.  

Part 2

To enable Wireshark to use the keys in the log file, you will follows these steps:

  1. Go to Edit > Preferences > Protocols > TLS
    Note: For Wireshark versions earlier than 3.x, go to Edit > Preferences > Protocols > SSL.
  2. For the (Pre)-Master-Secret log filename, select "Browse" and locate the SSL log file you created, or just enter the path and file name.
  3. Select "OK"
  4. In the Wireshark packet window, select previously encrypted packets to view unencrypted application data.

After you perform part 1 and part 2 procedures, you can delete the SSL log file, and you can enter the following command in the terminal window to revert the changes:

export SSLKEYLOGFILE=""

LINUX and FIREFOX or CHROME

To log the SSL session keys on a Linux client, we have to set the SSLKEYLOGFILE. 

Part 1

To log the SSL session keys on Linux by setting the SSLKEYLOGFILE, perform the following procedure:

  1. Log in to your Linux system
  2. Close any/all Firefox and Chrome browsers
  3. Open a terminal for command line access
  4. Set the SSLKEYLOGFILE environment variable for your account by using the following command syntax:
    export SSLKEYLOGFILE="/home/<account_name>/sslkeylogfile.log"

    For example:

    export SSLKEYLOGFILE="/home/awalding/sslkeylogfile.log"
  5. Start Wireshark, or even tcpdump.
  6. Start Firefox or Chrome from the same terminal.  For example:
    Firefox &

    You must start the browser from the same command terminal because the session variable is set only on the terminal.

  7. Open a web site like www.cellstream.com in the web browser.  You will see that the SSL session keys are now being logged in the file you specified in Step 4.  If they are not, go back and repeat the first 6 steps.
  8. You can now stop the packet capture, and, if you want, save the file to your client system.
  9. You may need to filter your capture to actually see that the HTTPS content is encrypted.

Part 2

To enable Wireshark to use the keys in the log file, you will follows these steps:

  1. Go to Edit > Preferences > Protocols > TLS
    Note: For Wireshark versions earlier than 3.x, go to Edit > Preferences > Protocols > SSL.
  2. For the (Pre)-Master-Secret log filename, select "Browse" and locate the SSL log file you created, or just enter the path and file name.
  3. Select "OK"
  4. In the Wireshark packet window, select previously encrypted packets to view unencrypted application data.

After you perform part 1 and part 2 procedures, you can delete the SSL log file, and you can enter the following command in the terminal window to revert the changes:

export SSLKEYLOGFILE=""

I hope you find this article and its content helpful.  Comments are welcomed below.  If you would like to see more articles like this, please support us by clicking the patron link where you will receive free bonus access to courses and more, or simply buying us a cup of coffee!, and all comments are welcome!

Did you learn something?
Did I save you time? 

Buy me a coffeeBuy me a coffee!

Find by Tag

5G Networks 6LoWLAN 6LoWPAN 802.11 802.11ah 802.11ax 802.11ay 802.11az ACL Addressing Analysis Ansible Architecture ARP Assessment AToM Backup Bandwidth BGP Biography Bloom's Taxonomy Briefings CBRS CellStream Cellular Central Office Cheat Sheet Chrome Cisco Clock Cloud Computer Consulting CPI Data Center Data Networking Decryption DHCPv4 DHCPv6 Display Filter DNS Documentation ECMP EIGRP Ethernet Ethics Flipping the Certification Model Follow Me Fragmentation Git GNS3 Google GQUIC Hands-On History Home Network HTTPS ICMP ICMPv6 IEEE 802.11p IEEE 802.15.4 In A Day Internet IOS Classic IoT IPv4 IPv6 IS-IS L2 Switch L2VPN L3VPN LDP Learning Services Linux LLN Logging LoL M-BGP MAC MAC OSx Macro Microsoft mininet Monitoring Monitor Mode MPLS Multicast Name Resolution Netflow NetMon netsh Networking Network Science nmap Npcap nslookup Online Learning Online School OpenFlow OSPF OSPFv2 OSPFv3 OSX Parrot PIM Ping Policy POTS POTS to Pipes PPP Profile Profiles Programming Project Management PW3E Python QoS QUIC Requirements RIP Routing RPL RSVP Rural SAS SDN Security Self Certification Service Provider Services Sharepoint Small Business Smartport SONET Speed SSH SSL Subnetting T-Shark TCP TCP/IP Telco Telecom 101 Telecommunications Telephone Telnet Terminal TLS Tools Traceroute Traffic Analysis Traffic Engineering Training Travel Tunnel Utility Video Virtualbox Virtualization Voice VoIP VRF VXLAN Webex Wi-Fi Wi-Fi 6 Wi-Fi 6/6E Windows Wireless Wireless 5G Wireshark Wireshark Tip WLAN ZigBee Zoom

Twitter Feed