decrypted tcpdump capture without using an iRule and without using tshark
Last week I attended the Wireshark Foundation’s SharkFest in Warsaw. While there I raised a question with core developer Stig Bjørlykke that’s been bothering me for some time: why go through all the hassle of using tshark when the needed data is already present in the pcap? There must be a smarter way to do this from within Wireshark — and there is. Although the solution described in https://my.f5.com/manage/s/article/K31793632 and Mohamed_Ahmed_Kansoh’s post are useful, and Jason Rahm’s script (https://github.com/f5-rahm/pcap_utils/blob/main/TLSv1_3_captures.py) is also helpful, I’m particularly pleased with the Lua-based approach Stig shared with me. I’m happy to pass it along. The Lua script reads session keys from the capture and exports them to a Pre-Master Secret (PMS) log file, using the correct formatting — no tshark, sed, or other external tools required. How to use it: Copy the Lua script into a file and place it in your Wireshark Personal Lua Plugins folder. (You can find that folder via Help → About Wireshark → Folders.) Open the capture you want to decrypt. Make sure it was captured as described in K31793632. Make sure the PMS file option is enabled and points to the desired file (Preferences → Protocols → TLS → Pre-Master Secret log filename). Under the Tools menu you will find the Lua script. Run it — it will display which PMS file is being used and how many keys it found. Click Export, then Close. That’s it — your capture should now be decrypted. -- F5 Keylog Export Wireshark Plugin set_plugin_info({version = "1.0", author = "Stig Bjørlykke <stig@bjorlykke.org>"}) local keylog_field = Field.new("f5ethtrailer.tls.keylog") local keylog_list = "" local keylog_count = 0 local function export_keylog() local keylog_file = get_preference("tls.keylog_file"); if keylog_file and keylog_file ~= "" then io.open(keylog_file, "w"):write(keylog_list):close() redissect_packets() end end local function f5_keylog_export() local tw = TextWindow.new("F5 Keylog Export") local tap = Listener.new("f5ethtrailer") tw:add_button("Export", function() export_keylog() end) tw:set_atclose(function () tap:remove() end) function tap.packet() for _, keylog in ipairs({keylog_field()}) do keylog_list = keylog_list .. keylog.value .. "\n" keylog_count = keylog_count + 1 end end function tap.draw() local keylog_file = get_preference("tls.keylog_file"); if keylog_file and keylog_file ~= "" then tw:set("TLS keylog file: " .. keylog_file .. "\n") tw:append("Press Export to write keys to file.\n\n") tw:append("Found " .. keylog_count .. " keylog entries.") else tw:set("No TLS keylog file specified in Preferences -> Protocols -> TLS\n\n") end end function tap.reset() keylog_list = "" keylog_count = 0 tw:clear() end retap_packets() end register_menu("F5 Keylog Export", f5_keylog_export, MENU_TOOLS_UNSORTED)
