Protocol Decryption

Packet Viewer supports decrypting encrypted protocols by configuring decryption keys in profile configuration files or embedding them directly in PCAP-ng files. This allows analysis of encrypted traffic when keys are available.

TLS Decryption

Packet Viewer can decrypt TLS/SSL traffic when TLS key log information is embedded directly in the PCAP-ng file. When a capture file contains embedded TLS key log data, decryption happens automatically without any additional configuration.

Embedded TLS Key Logs

PCAP-ng files can include TLS session keys as Decryption Secrets Blocks (DSB). When present, Packet Viewer uses these keys to decrypt TLS traffic in the capture. This approach provides several benefits:

Keys travel with the capture file
No profile or container configuration required
Keys are contextually accurate to the capture session
Works without external key files

Creating Captures with Embedded Keys

To create PCAP-ng files with embedded TLS keys, configure your capture tool or application to log TLS session keys and embed them in the capture file.

Many capture tools support the SSLKEYLOGFILE environment variable for collecting TLS keys during capture. Consult your capture tool’s documentation for specific instructions on embedding TLS key log data in PCAP-ng files.

Verifying TLS Decryption

Open the capture file in Packet Viewer. If TLS decryption is working, you will see decrypted application data in the packet decode tree for TLS packets instead of encrypted payload.

SMB Decryption

The smb2_seskey_list file can be used to decrypt SMB traffic by configuring a list of Session ID to key mappings. Keys can be specified using either a single Session Key or separate Server-to-Client/Client-to-Server keys.

File Format

Place the smb2_seskey_list file in your profile’s wireshark/ directory.

Format: "Session ID","Session Key","Server-to-Client","Client-to-Server"

If the Session Key is used for the mapping, the Server-to-Client and Client-to-Server must be set to the empty string, "". Likewise, if the Server-to-Client and Client-to-Server are used, then the Session Key must be set to "".

Examples

Decrypt traffic using a Session Key:

# Session ID, Session Key, Server-to-Client (empty), Client-to-Server (empty)
3d00009400480000,28f2847263c83dc00621f742dd3f2e7b,"",""

Decrypt traffic using separate Server-to-Client and Client-to-Server keys:

# Session ID, Session Key (empty), Server-to-Client, Client-to-Server
3d00009400480000,"",b25a135fc3dc14269f20d7cbc8716b6b,a3c0338caf84f4a254445a9724f1c462

Obtaining SMB Keys

For information on obtaining SMB session keys from a client, see the SambaWiki Wireshark Decryption page.

Product

Search Results