Wireshark

  • Set the necessary filter - to reduce data captured as per below example


  • Set up a ring buffer as per below - below example uses 10GB of space.


  • Disable auto update to reduce load and its not necessary - as we are capturing to a file. Depending on how quickly capture fills up the files - you might want to stop capture automatically instead of overwriting. e.g. Stop Capture after 200 files


Finesse Capture

admin:file list activelog /platform/cli/*
FINESSEpcap.cap00                       FINESSEpcap.cap01
FINESSEpcap.cap02                       FINESSEpcap.cap03
FINESSEpcap.cap04                       FINESSEpcap.cap05
FINESSEpcap.cap06                       FINESSEpcap.cap07
GOR.cap                                 GOR1.cap
GOR_1.cap                               tony.cap
dir count = 0, file count = 12
admin:file get activelog /platform/cli/FINESSEpcap.cap*
Please wait while the system is gathering files info ...
 Get file: /var/log/active/platform/cli/FINESSEpcap.cap00

 Get file: /var/log/active/platform/cli/FINESSEpcap.cap01

 Get file: /var/log/active/platform/cli/FINESSEpcap.cap02

 Get file: /var/log/active/platform/cli/FINESSEpcap.cap03

 Get file: /var/log/active/platform/cli/FINESSEpcap.cap04

 Get file: /var/log/active/platform/cli/FINESSEpcap.cap05

 Get file: /var/log/active/platform/cli/FINESSEpcap.cap06

 Get file: /var/log/active/platform/cli/FINESSEpcap.cap07
done.
Sub-directories were not traversed.
Number of files affected: 8
Total size in Bytes: 308883571
Total size in Kbytes: 301644.12
Would you like to proceed [y/n]?

https://wiki.wireshark.org/TLS

  • Set the System Environment variable SSLKEYLOGFILE, e.g. SSLKEYLOGFILE=C:\X-Support\SSL\SSLKeyLog.log
  • Set Pre-Master Secret Log filename in the Wireshark\Preferences\Protocols\SSL - as per below
  • Use Chrome or Firefox
  • Run your wireshark trace!

For Java / Tomcat

Since Wireshark 3.0 you can embed the TLS key log file in a pcapng file. This makes it much easier to distribute capture files with decryption secrets, and makes switching between capture files easier since the TLS protocol preference does not have to be updated. To add the contents of key log file keys.txt to capture file in.pcap and write the result to out-dsb.pcapng:

editcap --inject-secrets tls,keys.txt in.pcap out-dsb.pcapng
  • tech-notes/wireshark.txt
  • Last modified: 2022/03/03 12:35
  • by gerardorourke