Decrypting SSL in Wireshark

Now you need to have your pre-master key file and your capture moved to your local box. To do this do the following:

  1. Open WinSCP on the Windows jumpbox and connect to Bigip01.

  2. Change local directory to Documents.

  3. Pull from the remote directory the session.pms and your pcap files.

  4. Now open Wireshark.

  5. Once Wireshark is open go to Edit/Preferences.

  6. Expand on the left side, Protocols, then select TLS.

    ../../_images/premaster-session.png
  7. Browse to the pre-master session key file and click on save.

  8. Open in Wireshark the .pcap file you pulled down from the F5 BIG-IP. You can use the original .pcap.

  9. Right click on one of the SSL packets and select Follow, TLS Stream.

    ../../_images/follow-ssl-stream.png
  10. You will now see unencrypted SSL data in the capture as follows:

    ../../_images/ssl-decrypted-data.png