Wireshark could decrypt https and display clear text(http) to user, but Wireshark do not support save clear text into pcap file, the content in pcap file is still encrypted even I can see the decrypt info before saving. I'd like to know if there is a way to capture https traffic and save it into pcap file with http format? Is it possible that setup a web proxy which can accepts SSL connections and forwards them over non-SSL, then use Wireshark to capture pcap at non-SSL side? Thanks in advance.
3
votes
Wireshark can decrypt SSL, if it has access to the master secret. See this answer on the information security part of the website for how to configure wireshark. I would advise to save both the SSL packets and the master secret, going through a decrypting proxy means tinkering with your capture. (although, definitely, it is possible to setup such a proxy)
– grochmal
Thanks grochmal. The solution of saving master secret is not suitable for my scenario. Could you please explain more about how to use proxy to do this? I tried with some proxy tools, like MITMProxy and Fiddler, I don't know how to forward decrypt traffic.
– Lester
1 Answers
1
votes