Decrypting SSL in Wireshark

Now you need to have your pre-master key file and your capture moved to your local box. To do this do the following:

  1. Open WinSCP on the Windows jumpbox and connect to Bigip01.

  2. Change local directory to Documents.

  3. Pull from the remote directory the session.pms and your pcap files.

  4. Now open Wireshark.

  5. Once Wireshark is open go to Edit/Preferences.

  6. Expand on the left side, Protocols, then select TLS.

    ../../_images/premaster-session.png
  7. Browse to the pre-master session key file and click on Open. Then Click OK.

  8. Open in Wireshark the .pcap file you pulled down from the F5 BIG-IP with SSL packet capture.

  9. Apply a display filter of http

  10. Right click on one of the packets and select Follow, HTTP Stream.

    ../../_images/follow-ssl-stream.png
  11. You will now see unencrypted SSL data in the capture as follows:

    ../../_images/ssl-decrypted-data.png