之前一直强烈依靠fiddler，发现fiddler总是故障，或者有的包抓不到。总是在想有没有一种通杀的办法。现在使用wireshark可以。

测试app：喜马拉雅。

原理：先通过网页版拿到keylogFile文件，再使用此文件解https的包。

Capture Filter

You cannot directly filter TLS protocols while capturing. However, if you know the TCP port used (see above), you can filter on that one, for example using tcp port 443.

Using the (Pre)-Master-Secret

The master secret enables TLS decryption in Wireshark and can be supplied via the Key Log File. The pre-master secret is the result from the key exchange and can be converted to a master secret by Wireshark. This pre-master secret can be obtained when a RSA private key is provided and a RSA key exchange is in use.

Step-by-step instructions to decrypt TLS traffic from Chrome or Firefox in Wireshark:

1. Close the browser completely (check your task manager just to be sure). 确定所有浏览器已关闭，任务管理器中查看。
2. Set environment variable SSLKEYLOGFILE to the absolute path of a writable file.
3. Start the browser.
4. Verify that the location from step 2 is created.
5. In Wireshark, go to Edit -> Preferences -> Protocols -> TLS, and change the (Pre)-Master-Secret log filename preference to the path from step 2.
6. Start the Wireshark capture.
7. Open a website, for example https://www.wireshark.org/
8. Check that the decrypted data is visible. For example, using the tls and (http or http2) filter.

For Windows, an environment variable can be set globally as described in this walkthrough, but this is not recommended since it is easy to forget about and may be a security issue since it allows decryption of all your TLS traffic. A better way to set the environment variable is via a batch file. Create a file start-fx.cmd with:

@echo off
set SSLKEYLOGFILE=%USERPROFILE%\Desktop\keylogfile.txt
start firefox

For Linux, you open a terminal then start the browser with:

export SSLKEYLOGFILE=$HOME/Desktop/keylogfile.txt
firefox

For macos, you open a terminal then start the browser with:

export SSLKEYLOGFILE=$HOME/Desktop/keylogfile.txt
open -a firefox

Change the SSLKEYLOGFILE path as needed, and replace firefox with chrome for Google Chrome. This mechanism currently (2019) does not work for Safari, Microsoft Edge, and others since their TLS libraries (Microsoft SChannel/Apple SecureTransport) do not support this mechanism. This mechanism works for applications other than web browsers as well, but it dependent on the TLS library used by the application.

Note: Chromium based versions of Edge (version 79+) should work too.

Examples of other applications:

• Applications using OpenSSL could use a GDB or a LD_PRELOAD trick to extract the secrets. This includes Python.
  • For a walkthrough for Apache HTTP Server using this libsslkeylog.so library, see this post.
• For Java programs, secrets can be extracted from the TLS debug log preference, or output directly in the format Wireshark requires via a Java agent. Two similar projects:
  • jSSLKeyLog: http://jsslkeylog.sourceforge.net/
  • extract-tls-secrets: https://github.com/neykov/extract-tls-secrets
• Python scripts can be edited to dump keys as well.

For a survey of supported TLS applications and libraries, see also page 19 of Peter Wu’s SSL/TLS Decryption SharkFest’18 EU presentation.

Embedding decryption secrets in a pcapng file

Since Wireshark 3.0 you can embed the TLS key log file in a pcapng file. This makes it much easier to distribute capture files with decryption secrets, and makes switching between capture files easier since the TLS protocol preference does not have to be updated. To add the contents of key log file keys.txt to capture file in.pcap and write the result to out-dsb.pcapng:

editcap --inject-secrets tls,keys.txt in.pcap out-dsb.pcapng

The dsb suffix stands for Decryption Secrets Block (DSB) and is part of the pcapng specification.

A key log file might contain keys that are not related to a capture file. To ensure that unnecessary keys are not leaked, you can use the inject-tls-secrets.py script from https://gist.github.com/Lekensteyn/f64ba6d6d2c6229d6ec444647979ea24 to filter the key log file and add the required secrets to a capture file. The shell script has been tested with Linux and macOS, but a Python 3 version is also available for all platforms including Windows. Example:

git clone https://gist.github.com/Lekensteyn/f64ba6d6d2c6229d6ec444647979ea24 ~/its
~/its/inject-tls-secrets.py keys.txt some.pcap

See also

Some other protocols are derived from TLS. This includes:

• DTLS is based on the TLS standard and runs on top of UDP as a transport protocol.
• QUIC is an in-development protocol that uses TLS for its encryption, Wireshark’s status can be tracked at https://github.com/quicwg/base-drafts/wiki/Tools#wireshark.

External links

• https://en.wikipedia.org/wiki/Transport_Layer_Security Wikipedia article for TLS
• https://sharkfesteurope.wireshark.org/assets/presentations16eu/07.pdf SharkFest’16 EU presentation by Sake Blok on troubleshooting SSL with Wireshark/Tshark (or watch the video of the presentation at https://youtu.be/oDaDY9QCnXk)
• https://lekensteyn.nl/files/wireshark-ssl-tls-decryption-secrets-sharkfest18eu.pdf SharkFest’18 EU presentation by Peter Wu on TLS decryption (video for an earlier talk in Asia at https://youtu.be/bwJEBwgoeBg)
• https://lekensteyn.nl/files/wireshark-tls-debugging-sharkfest19us.pdf SharkFest’19 US presentation by Peter Wu describing TLS decryption and use of embedded decryption secrets (https://youtu.be/Ha4SLHceF6w).
• How does SSL/TLS work? – Information Security Stack Exchange
• Keyless SSL: The Nitty Gritty Technical Details with a good introduction in TLS
• PolarProxy from Netresec is a transparent SSL/TLS proxy created for incident responders and malware researchers that is primarily designed to intercept and decrypt TLS encrypted traffic from malware. PolarProxy decrypts and re-encrypts TLS traffic, while also saving the decrypted traffic in a PCAP file that can be loaded into Wireshark or an intrusion detection system (IDS).

获得keylogFile文件后，再手机上打开相应app，即可看到接口已经被解密了。