Capture and decrypt SSL traffic #

Environment

Get SSL session keys

  1. Quit Firefox
  2. export SSLKEYLOGFILE=~/Desktop/sklf && open /Applications/Firefox.app
  3. sudo tcpdump -i en0 -s 0 tcp port https -w ~/Desktop/capture.pcap
  4. Browse to desired HTTPS site in Firefox

Load SSL key log & packet capture files into Wireshark

  1. Wireshark.app → Preferences... → Protocols → TLS → (Pre)-Master-Secret log filename → Browse... → ~/Desktop/sklf → OK
  2. File → Open → ~/Desktop/capture.pcap → Open

Search & export text

  1. Edit → Find Packet... → change "Packet list" to "Packet details" and "Display filter" to "String" → enter desired search string into box labeled "Enter a display filter ..." → Find
  2. Right click highlighted result → Copy Bytes ...as Printable Text → pbpaste

Notes

Sources

/mac | Jan 03, 2022


Subscribe or visit the archives.