Decrypting https traffic using WireShark

What is WireShark?

Wireshark is the world’s foremost network protocol analyzer. It lets you see what’s happening on your network at a microscopic level. It is used for network troubleshooting, analysis, software and communications protocol development, and education.

Capture network messages

  1. First of all we clean the arp cache and flush the dns cache using the following commands:  

a) arp -d *  

b) arp -a 

c) ipconfig /flushdns

Clear arp and dns cache.png

2. We will start WireShark and capture network messages in the network interface with a default gateway:

Capture traffic in the NIC with default gateway.png
Start WireShark.png

3. The browser is opened in InPrivate mode and we will visit the following url:

Certificate Authority of Gmail from IE 11.png
Public Key of CA.png

4. We will stop capturing  messages and save the capture in  a file.

Wire Shark Pcap.png

Decrypting the messages

  1. First of all an ARP request is sent from the our  machine to the router to determine the MAC address of router’s  network interface and an ARP reply is sent from the router. In the same manner, our machine resolves the DNS of with our router.
WireShark ARP and DNS resolution.png

2.  Next, our machine sends a [SYN] (Synchronisation) message to the google server at and the Google server responds with a [SYN, ACK] (Synchronisation, Acknowledgement) message followed by a  [ACK] (Acknowledgement) message from our machine.

WireShark SYN ACK messages.png

3.  After TCP connection is setup with SYN and ACK message exchanges, our machine/ browser (client) sends a http request to the google server using a GET method:

HTTP GET method from client.png
HTTP 302 Message from Google.png

4. TLS Handshake takes place with client hello, followed by server ACK, server hello and finally  client ACK.

TLS Handshake.png

5. Finally, Google server sends a certificate to the client (IE 11), followed by client’s ACK, client key exchange. Google server issues a new session ticket to the client. A secure HTTPS connection has now been established.

Certificate from Google.png

6. We can see the 270 bytes public key of the CA in the snapshot

CA publi key_270 bytes.png

Sr. SDET M Mehedi Zaman

Currently working as Sr. SDET at Robi Axiata Limited, a subsidiary of Axiata Group.

Leave a Reply

Your email address will not be published. Required fields are marked *