Packets transmitted using the SSL/TLS protocol are encrypted after the handshake, making their content inaccessible even when captured with Wireshark. This article introduces a method to decrypt TLS packets into plaintext.

使用 SSL/TLS 協議傳輸的封包在 handshake 之後以加密形式傳輸，即使wireshark 抓包也無法看到內容，
本文介紹使TLS 封包解為明文的方法

Version info

windows OS	Microsoft Windows 7
wireshark Version	3.4.9 (v3.4.9-0-g365e236f5efe)
vlc	v3.0.8
google chrome	版本 95.0.4638.54 (正式版本) (64 位元)

Decrypt Steps

Run wireshark to capture

Under normal circumstances, the protocol will be displayed as TLS v (in the image, it shows TLS v1.2) Application Data. This appears after the Certificate, Server (Client) Key Exchange. The content is in an encrypted state.

原本的情況是會顯示 protocol 為 TLS v<TLS 的版本> (圖中是 TLS v1.2) Applicaiton Data
出現在 certificated, Server (client) Key exchange 之後
內文處於加密的狀態

Add env variables

Add an environment variable SSLKEYLOGFILE with the value set to a new file. Then, restart the browser or other target HTTPS clients (e.g., VLC Player, etc.).

新增一個環境變數 SSLKEYLOGFILE，數值是一個全新的檔案
然後 重啟瀏覽器，或是其他目標 https clients (VLC Player etc)

After starting the stream, this file will be created, and it will contain content similar to the following.
開始串流之後這個檔案會被創建且出現類似如下內文

Add SSLKEYLOGFILE to wireshark

Edit -> Preference -> Protocol -> TLS
Add (pre)-master-secret log filename

Decrypted TCP

After completing the previous step, start capturing packets again. In the packets following the Change Cipher Spec Finished (completion of the TLS handshake), you will see info [TLS segment of a reassembled PDU], which indicates the encrypted TCP content. By clicking on it, you will see ‘Decrypted TLS,’ containing the decrypted plaintext.
完成上一步之後重新開始抓包，在 Change Cipher spec Finished (TLS 握手完成)以後的包， info [TLS segment of a reassembled PDU] 這就是被加密的 tcp 內容,點開以後會出現 Decrypted TLS 裡面是解密的明文

Save printable text file

Save in wireshark

File -> export packet deceptions -> As Plain text
select as:

View the saved decrypted content 查看保存下來的內文

It will display the package number and other protocol details
會顯示package number 等協議內容

Reference

https://www.youtube.com/watch?v=5qecyZHL-GU&ab_channel=ChrisGreer