TLS Decryption in Wireshark Using Key Log Files in Windows, MAC, and Linux

Hi everyone!  Being able to decrypt the encrypted contents of packet captures is very important if you want to troubleshoot anything above Layer 4.  This is even more important today as the network is evolving to QUIC where everything is encrypted.

Check out these great references as well:

 Our custom profiles repository for Wireshark
 Our Udemy course on Wireshark 
 Our Udemy course on Wireless Packet capture

You have probably watched my YouTube video on this for Windows, but I often get asked how is it done on MAC or on Linux.  So I thought what I would do is document the process here for all three operating systems.  There are two parts to this process.  Part 1 is to set up the operating system, and Part 2 is to configure Wireshark.

First, let’s start with the Windows process of logging the SSL session keys.  Keep in mind, this is using the client side, not the server side.

WINDOWS and FIREFOX or CHROME

To log the SSL session keys on a Windows client, we have to set the SSLKEYLOGFILE.

Part 1

To do this follow these steps:

  1. Log in to your Windows system
  2. Close any/all Firefox and Chrome browsers
  3. Click on the Windows icon at the bottom left corner of your screen.
  4. Type “env” to Open environment variables
  5. Click on the “Environment variables…” button
  6. In the Environmental Variables pop-up window, under User variables for {user name}, select “New”
  7. For the Variable name, enter the following name: “SSLKEYLOGFILE” (everything between the quotes)
    For Variable value, enter the full path name for the SSL log file.  You can click on the Browse Directory or Browse File buttons to navigate to the place you wish.
  8. For example: C:\Users\user1\Desktop\sslkeylog.txt
    Note: You must have write-access to the location you enter here.
  9. Select “OK”
  10. Reboot your system.  You may want to check these settings are in place after the reboot.
  11. Start Wireshark
  12. Start Firefox or Chrome
  13. Open a web site like www.cellstream.com in the web browser.  You will see that the SSL session keys are now being logged in the file you specified in Step 8.  If they are not, go back and repeat the first 8 steps.
  14. You can now stop the packet capture, and, if you want, save the file to your client system.

You may need to filter your capture to actually see that the HTTPS content is encrypted. 

Part 2

To enable Wireshark to use the keys in the log file, you will follows these steps:

  1. Go to Edit > Preferences > Protocols > TLS
    Note: For Wireshark versions earlier than 3.x, go to Edit > Preferences > Protocols > SSL.
    In newer versions of Wireshark this has been moved to Edit> Preferences> Protocols> TLS.
  2. For the (Pre)-Master-Secret log filename, select “Browse” and locate the TLS/SSL log file you created, or just enter the path and file name.
  3. Select “OK”
  4. In the Wireshark packet window, select previously encrypted packets to view unencrypted application data.

After you perform part 1 and part 2 procedures, you can delete the TLS/SSL log file and undo the settings made in Parts 1 and 2 to revert the changes.

MAC OS and FIREFOX or CHROME

To log the SSL session keys on a MAC OS client, we have to set the SSLKEYLOGFILE.

Part 1

  1. Log in to your MAC OS system
  2. Ensure any/all Firefox and Chrome browsers are closedNote: In the MAC, applications may run in the background. You must use Force Quit from the Apple menu in the upper-left corner of your screen to force an application to quit
  3. Launch a MAC OS X terminal for command line access
  4. Set the SSLKEYLOGFILE environment variable for your account by using the following command syntax:
    export SSLKEYLOGFILE="/Users/<account_name>/sslkeylogfile.log"

    For example:

    export SSLKEYLOGFILE="/Users/awalding/sslkeylogfile.log"
  5. Start Wireshark or even tcpdump, and start the capture on the appropriate interface
  6. Start Firefox or Chrome from the same terminal using the following command syntax:
    open /Applications/<browser>

    You must start the browser from the same command terminal because the session variable is set only on the terminal.

    For example:

    open /Applications/Firefox
  7. Open a web site like www.cellstream.com in the web browser.  You will see that the SSL session keys are now being logged in the file you specified in Step 4.  If they are not, go back and repeat the first 6 steps.
  8. You can now stop the packet capture, and, if you want, save the file to your client system.
  9. You may need to filter your capture to actually see that the HTTPS content is encrypted. 

Part 2

To enable Wireshark to use the keys in the log file, you will follows these steps:

  1. Go to Edit > Preferences > Protocols > TLS
    Note: For Wireshark versions earlier than 3.x, go to Edit > Preferences > Protocols > SSL.
  2. For the (Pre)-Master-Secret log filename, select “Browse” and locate the SSL log file you created, or just enter the path and file name.
  3. Select “OK”
  4. In the Wireshark packet window, select previously encrypted packets to view unencrypted application data.

After you perform part 1 and part 2 procedures, you can delete the SSL log file, and you can enter the following command in the terminal window to revert the changes:

export SSLKEYLOGFILE=""

LINUX and FIREFOX or CHROME

To log the SSL session keys on a Linux client, we have to set the SSLKEYLOGFILE.

Part 1

To log the SSL session keys on Linux by setting the SSLKEYLOGFILE, perform the following procedure:

  1. Log in to your Linux system
  2. Close any/all Firefox and Chrome browsers
  3. Open a terminal for command line access
  4. Set the SSLKEYLOGFILE environment variable for your account by using the following command syntax:
    export SSLKEYLOGFILE="/home/<account_name>/sslkeylogfile.log"

    For example:

    export SSLKEYLOGFILE="/home/awalding/sslkeylogfile.log"
  5. Start Wireshark, or even tcpdump.
  6. Start Firefox or Chrome from the same terminal.  For example:
    Firefox &

    You must start the browser from the same command terminal because the session variable is set only on the terminal.

  7. Open a web site like www.cellstream.com in the web browser.  You will see that the SSL session keys are now being logged in the file you specified in Step 4.  If they are not, go back and repeat the first 6 steps.
  8. You can now stop the packet capture, and, if you want, save the file to your client system.
  9. You may need to filter your capture to actually see that the HTTPS content is encrypted.

Part 2

To enable Wireshark to use the keys in the log file, you will follows these steps:

  1. Go to Edit > Preferences > Protocols > TLS
    Note: For Wireshark versions earlier than 3.x, go to Edit > Preferences > Protocols > SSL.
  2. For the (Pre)-Master-Secret log filename, select “Browse” and locate the SSL log file you created, or just enter the path and file name.
  3. Select “OK”
  4. In the Wireshark packet window, select previously encrypted packets to view unencrypted application data.

After you perform part 1 and part 2 procedures, you can delete the SSL log file, and you can enter the following command in the terminal window to revert the changes:

export SSLKEYLOGFILE=""
Remember you can always get your profiles here: https://www.cellstream.com/resources/wireshark-profiles-repository
I hope you find this article and its content helpful.  Comments are welcomed below.  If you would like to see more articles like this, please support us by clicking the patron link where you will receive free bonus access to courses and more, or simply buying us a cup of coffee!, and all comments are welcome!

Leave a Comment

Contact Us Here


Please verify.
Validation complete :)
Validation failed :(
 
Your contact request has been received. We usually respond within an hour, but please be patient. We will get back to you very soon.
Scroll to Top