How to Capture and Inspect Encrypted HTTPS Traffic Flows Using Wireshark Sniffer

Wireshark is a powerful and widely-used network protocol analyzer that allows users to capture network traffic, inspect packets in granular detail, and gain valuable insights. With Wireshark, it is possible to capture and analyze even encrypted HTTPS traffic flows by utilizing some handy features.

An Overview of Wireshark

Wireshark is an open-source packet analyzer software that runs on Windows, Linux, macOS, and other platforms. It can capture live network traffic via interfaces or from packet capture files. Some key things to know about Wireshark:

  • Captures network traffic from Ethernet, WiFi, Bluetooth and other media
  • Highly customizable filtering and analysis capabilities
  • Support for 1000+ protocols including TCP, UDP, HTTP, DNS and more
  • Rich visualization including graphs and statistics
  • Extensible via plugins
  • Free and open source

These capabilities make Wireshark invaluable for network troubleshooting, analysis, software debugging, and learning about network protocols.

HTTPS Traffic Encryption

Hypertext Transfer Protocol Secure (HTTPS) is HTTP over an encrypted Transport Layer Security (TLS) connection. The encryption ensures privacy, integrity, and authenticity of data in transit.

The encryption means that by default, Wireshark cannot decrypt and analyze the actual content within HTTPS packets. It can still capture HTTPS traffic and see metadata like:

  • Source and destination IP addresses
  • Source and destination ports
  • TLS handshake details
  • Certificate information
  • TCP sequence numbers, flags etc.

But not the actual HTTP payload. Attempting to follow the TCP stream shows encrypted data.

Decrypting HTTPS Traffic in Wireshark

To decrypt HTTPS traffic in Wireshark, the pre-master secret keys from the TLS session need to be provided to Wireshark. This can be accomplished in two ways:

1. SSLKEYLOGFILE Environment Variable

This involves configuring the web browser to log TLS secrets and provide the log file path to Wireshark via the SSLKEYLOGFILE environment variable.

On Windows:

  • Set system environment variable SSLKEYLOGFILE to a file path, e.g. %HOMEPATH%\sslkeylog.log
  • Launch web browser
  • HTTPS traffic will now be logged to the file
  • In Wireshark > Preferences > Protocols > TLS, set the path to this file

On Linux/macOS:

  • Export environment variable in terminal
  • Launch browser
  • Set file path in Wireshark as above

Now Wireshark will automatically decrypt any qualifying HTTPS traffic flows using the logged secrets.

2. RSA Private Key

For HTTPS traffic using RSA key exchange, Wireshark can decrypt using the server’s private key file added to the RSA keys list.

  • Obtain server’s RSA private key file (PEM format)
  • In Wireshark > Preferences > Protocols > TLS > RSA keys list
  • Click “+” and add private key file

The related traffic will then be automatically decrypted.

Analyzing Decrypted HTTPS in Wireshark

Once the above steps are followed, Wireshark will decrypt qualifying HTTPS traffic automatically. Users can then analyze it like any other unencrypted traffic.

  • Apply display filters like http.request or http.response
  • Follow TCP streams to view decrypted application data
  • Leverage deep packet inspection, extraction and other analysis features offered by Wireshark

This enables troubleshooting, forensics, security analysis and more on what were previously encrypted flows.

Best Practices for HTTPS Decryption

When decrypting HTTPS traffic for analysis using Wireshark, follow these best practices:

  • Obtain permission if analyzing traffic not owned by you, to avoid legal issues
  • Use updated software to ensure support for modern cipher suites
  • Capture only required traffic to limit exposure of sensitive information
  • Remove secrets post-analysis and follow secure data handling practices
  • Use additional tools like network taps and merged pcap files when required


Wireshark is a powerful tool that allows deep inspection of network traffic, including encrypted HTTPS flows in some cases. By providing TLS secrets or RSA private keys, users can leverage Wireshark to decrypt and analyze HTTPS traffic to gain valuable insights for security, forensics and troubleshooting use cases. Proper precautions need to be taken to ensure legal compliance, data security and privacy.