tinyapps.org / blog

Capture and decrypt SSL traffic #

Environment

• macOS 10.15.7, Mozilla Firefox 95.0.2, Wireshark 3.6.1, tcpdump 4.9.3

Get SSL session keys

1. Quit Firefox
2. export SSLKEYLOGFILE=~/Desktop/sklf && open /Applications/Firefox.app
3. sudo tcpdump -i en0 -s 0 tcp port https -w ~/Desktop/capture.pcap
4. Browse to desired HTTPS site in Firefox

Load SSL key log & packet capture files into Wireshark

1. Wireshark.app → Preferences... → Protocols → TLS → (Pre)-Master-Secret log filename → Browse... → ~/Desktop/sklf → OK
2. File → Open → ~/Desktop/capture.pcap → Open

Search & export text

1. Edit → Find Packet... → change "Packet list" to "Packet details" and "Display filter" to "String" → enter desired search string into box labeled "Enter a display filter ..." → Find
2. Right click highlighted result → Copy Bytes ...as Printable Text → pbpaste

Notes

• Several methods, from verbose to concise, for identifying the network interface:
  • ifconfig
  • netstat -i
  • networksetup -listallhardwareports
  • for i in `ifconfig -l `; do echo $i; ifconfig $i | grep "inet " ; done ¹
  • scutil --nwi
  • route get example.com | grep interface ²

Sources

• Decrypt SSL traffic with the SSLKEYLOGFILE environment variable on Firefox or Google Chrome using Wireshark
• Wireshark 2 is the simplest way to inspect HTTPS on your Mac

/mac | Jan 03, 2022

Subscribe or visit the archives.