For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

decrypted tcpdump capture without using an iRule and without using tshark

Last week I attended the Wireshark Foundation’s SharkFest in Warsaw. While there I raised a question with core developer Stig Bjørlykke that’s been bothering me for some time: why go through all the hassle of using tshark when the needed data is already present in the pcap? There must be a smarter way to do this from within Wireshark — and there is.

Although the solution described in https://my.f5.com/manage/s/article/K31793632 and Mohamed_Ahmed_Kansoh’s post are useful, and Jason Rahm’s script (https://github.com/f5-rahm/pcap_utils/blob/main/TLSv1_3_captures.py) is also helpful, I’m particularly pleased with the Lua-based approach Stig shared with me. I’m happy to pass it along.

The Lua script reads session keys from the capture and exports them to a Pre-Master Secret (PMS) log file, using the correct formatting — no tshark, sed, or other external tools required.

How to use it:

  1. Copy the Lua script into a file and place it in your Wireshark Personal Lua Plugins folder. (You can find that folder via Help → About Wireshark → Folders.)
  2. Open the capture you want to decrypt. Make sure it was captured as described in K31793632.
  3. Make sure the PMS file option is enabled and points to the desired file (Preferences → Protocols → TLS → Pre-Master Secret log filename).
  4. Under the Tools menu you will find the Lua script. Run it — it will display which PMS file is being used and how many keys it found.
  5. Click Export, then Close. That’s it — your capture should now be decrypted.
-- F5 Keylog Export Wireshark Plugin
set_plugin_info({version = "1.0", author = "Stig Bjørlykke <stig@bjorlykke.org>"})

local keylog_field = Field.new("f5ethtrailer.tls.keylog")
local keylog_list = ""
local keylog_count = 0

local function export_keylog()
   local keylog_file = get_preference("tls.keylog_file");
   if keylog_file and keylog_file ~= "" then
      io.open(keylog_file, "w"):write(keylog_list):close()
      redissect_packets()
   end
end

local function f5_keylog_export()
   local tw = TextWindow.new("F5 Keylog Export")
   local tap = Listener.new("f5ethtrailer")

   tw:add_button("Export", function() export_keylog() end)
   tw:set_atclose(function () tap:remove() end)

   function tap.packet()
      for _, keylog in ipairs({keylog_field()}) do
         keylog_list = keylog_list .. keylog.value .. "\n"
         keylog_count = keylog_count + 1
      end
   end

   function tap.draw()
      local keylog_file = get_preference("tls.keylog_file");
      if keylog_file and keylog_file ~= "" then
         tw:set("TLS keylog file: " .. keylog_file .. "\n")
         tw:append("Press Export to write keys to file.\n\n")
         tw:append("Found " .. keylog_count .. " keylog entries.")
      else
         tw:set("No TLS keylog file specified in Preferences -> Protocols -> TLS\n\n")
      end
   end

   function tap.reset()
      keylog_list = ""
      keylog_count = 0
      tw:clear()
   end

   retap_packets()
end

register_menu("F5 Keylog Export", f5_keylog_export, MENU_TOOLS_UNSORTED)
Published Nov 09, 2025
Version 1.0
decrypt with tcpdump --f5 ssl
tls
wireshark
No CommentsBe the first to comment