top of page
Writer's pictureLaura Chappell

Embed TLS Secrets in Trace Files Using Wireshark

Updated: Feb 29

Wireshark v4 now has the option to embed TLS secrets into a trace file within the GUI.

We could do this before in editcap, but who wants to jump out to the command prompt to run the clunky process there - and what are the chances of a typo? (Pretty damn near 80% in my case.)

Inject TLS Secrets menu item

Once you've set up your system to log keys before you start your local capture, you can now select Edit | Inject TLS Secrets.


Wireshark embeds only the keys used in the trace file. (This is nice because some of my key files are pretty large after forgetting I've set them up.)


You'll only know if this process worked by looking at your trace file. (No "X keys were injected" message" or any other confirmation will appear.)


Luckily, an asterisk is placed before the file name on the menubar to indicate the file has been edited. You will be prompted to save changes to the file if you try to close it without saving.


This change makes sharing unencrypted files I've captured on my system is easy.


LAB: Decrypt with a Log File and Embed TLS Secrets


Step 1: Get the Files

Grab sjsharks.zip. Unzip the file - you now have an unencrypted HTTP/2 session and the .key file to decrypt it. (Note the size of the trace file and the size of the key file. My system has been saving keys to that same file for a while.)

directory listing


Open sj-sharksmini2.pcapng in the latest version of Wireshark - notice that the TCP streams are encrypted.

unencypted traffic

Step 2: Decrypt with the Pre-Master-Secret Log File

Select frame 4 and, in the Packet Details pane, and right-click on the TLS section. Select Protocol Preferences | Pre-(Master)-Secret Log Filename. Up by your display filter area, you are prompted to enter the path/name of the key file to use. Point Wireshark to the key file you downloaded. Click OK.


adding the pre-master secret log file

Wireshark will rescan the trace file and ... if all works well, voila! The HTTP/2 traffic should be decrypted.

decrypted traffic

Step 3: Inject TLS Secrets

You aren't done yet!

Select Edit | Inject TLS Secrets. Save this trace file as a new file (maybe add "-key" to the file name to indicate it has embedded keys). If you remove the Pre-(Master)-Secret Log Filename setting or change to a different profile that doesn't have that TLS preference setting, the file will remain decrypted because the keys are embedded in the file.


Notice the size of the new "-keys" file. Wireshark only included the keys used for the decryption process. Sweet!


Enjoy!


-Laura

bottom of page