{
	"id": "e51e68b2-ccf2-46bf-9ce1-422cc4ada677",
	"created_at": "2026-04-06T00:08:08.918777Z",
	"updated_at": "2026-04-10T03:20:41.823835Z",
	"deleted_at": null,
	"sha1_hash": "ffbe7c735f6dadad0500c6a520cd4c30c6184df6",
	"title": "Wireshark Tutorial: Decrypting HTTPS Traffic",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 14940686,
	"plain_text": "Wireshark Tutorial: Decrypting HTTPS Traffic\r\nBy Brad Duncan\r\nPublished: 2020-08-21 · Archived: 2026-04-05 21:16:03 UTC\r\nExecutive Summary\r\nThis tutorial is designed for security professionals who investigate suspicious network activity and review packet\r\ncaptures (pcaps) of the traffic. The instructions assume you are familiar with Wireshark, and it focuses on\r\nWireshark version 3.x.\r\nWhen reviewing suspicious network activity, we often run across encrypted traffic. Why? Because most websites\r\nuse the Hypertext Transfer Protocol Secure (HTTPS) protocol. But like most websites, various types of malware\r\nalso use HTTPS. When reviewing pcaps from malware activity, it’s very helpful to know what’s contained within\r\npost-infection traffic.\r\nThis Wireshark tutorial describes how to decrypt HTTPS traffic from a pcap in Wireshark. Decryption is possible\r\nwith a text-based log containing encryption key data captured when the pcap was originally recorded. With this\r\nkey log file, we can decrypt HTTPS activity in a pcap and review its contents.\r\nToday, we will examine HTTPS activity from a Dridex malware infection.\r\nNote: Our instructions assume you have customized your Wireshark column display as previously described in\r\n“Customizing Wireshark – Changing Your Column Display.”.\r\nHere is a Github repository with a ZIP archive containing the pcap and a key log file used for this tutorial.\r\nWarning: The pcap used for this tutorial contains Windows-based malware. There is a risk of infection if using a\r\nWindows computer. We recommend you review this pcap in a non-Windows environment like BSD, Linux or\r\nmacOS if at all possible.\r\nThe Context Behind Encrypted Traffic\r\nIn the mid- to late-1990s, the most common protocol used by websites was Hypertext Transfer Protocol (HTTP),\r\nwhich generated unencrypted web traffic. However, as security became an increasing concern, websites started\r\nswitching to HTTPS, and now we rarely see HTTP traffic from web browsing.\r\nHTTPS is essentially an encrypted communications tunnel containing HTTP traffic. These tunnels first used\r\nSecure Sockets Layer (SSL) as an encryption protocol. Today most HTTPS traffic uses Transport Layer Security\r\n(TLS).\r\nHTTPS Web Traffic\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/\r\nPage 1 of 11\n\nHTTPS traffic often reveals a domain name. For example, when viewing https://www.wireshark.org in a web\r\nbrowser, a pcap would show www.wireshark.org as the server name for this traffic when viewed in a customized\r\nWireshark column display. Unfortunately, we don’t know other details like the actual URL or data returned from\r\nthe server. Following the Transmission Control Protocol (TCP) stream from a pcap will not reveal the content of\r\nthis traffic because it is encrypted.\r\nFigure 1. Traffic from HTTPS traffic to www.wireshark.org.\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/\r\nPage 2 of 11\n\nFigure 2. TCP stream of HTTPS traffic to and from server at www.wireshark.org.\r\nEncryption Key Log File\r\nAn encryption key log is a text file. An example is shown in Figure 3.\r\nFigure 3. The key log file used in this tutorial.\r\nThese logs are created using a Man in the Middle (MitM) technique when the pcap is originally recorded. If no\r\nsuch file was created when the pcap was recorded, you cannot decrypt HTTPS traffic in that pcap.\r\nExample of a Pcap With a Key Log File\r\nA password-protected ZIP archive containing the pcap and its key log file is available at this Github repository. Go\r\nto the Github page, click on the ZIP archive entry, then download it as shown in Figures 4 and 5. Of note, the pcap\r\ncontained in this ZIP archive provides access to a Windows-based malware sample when decrypted with the key\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/\r\nPage 3 of 11\n\nlog. As always, we recommend you exercise caution and follow steps from this tutorial in a non-Windows\r\nenvironment.\r\nFigure 4. Github repository with link to ZIP archive used for this tutorial.\r\nFigure 5. Downloading the ZIP archive for this tutorial.\r\nUse infected as the password to extract the pcap and key log file from the ZIP archive. This will provide two files\r\nas shown in Figure 6:\r\nWireshark-tutorial-KeysLogFile.txt\r\nWireshark-tutorial-on-decrypting-HTTPS-SSL-TLS-traffic.pcap\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/\r\nPage 4 of 11\n\nFigure 6. Key log file and pcap for this tutorial.\r\nHTTPS Traffic Without the Key Log File\r\nOpen Wireshark-tutorial-on-decrypting-HTTPS-SSL-TLS-traffic.pcap in Wireshark. Use a basic web filter as\r\ndescribed in this previous tutorial about Wireshark filters. Our basic filter for Wireshark 3.x is:\r\n(http.request or tls.handshake.type eq 1) and !(ssdp)\r\nThis pcap is from a Dridex malware infection on a Windows 10 host. All web traffic, including the infection\r\nactivity, is HTTPS. Without the key log file, we cannot see any details of the traffic, just the IP addresses, TCP\r\nports and domain names, as shown in Figure 7.\r\nFigure 7. Viewing the pcap in Wireshark using the basic web filter without any decryption.\r\nLoading the Key Log File\r\nOpen Wireshark-tutorial-on-decrypting-HTTPS-SSL-TLS-traffic.pcap in Wireshark. Then use the menu path\r\nEdit --\u003e Preferences to bring up the Preferences Menu, as shown in Figure 8.\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/\r\nPage 5 of 11\n\nFigure 8. Getting to the Preferences Menu in Wireshark.\r\nOn the left side of the Preferences Menu, click on Protocols, as shown in Figure 9.\r\nFigure 9. Selecting Protocols in the Preferences Menu.\r\nIf you are using Wireshark version 2.x, scroll down until you find SSL and select it. If you are using Wireshark\r\nversion 3.x, scroll down to TLS and select it. Once you have selected SSL or TLS, you should see a line for (Pre)-\r\nMaster-Secret log filename. Click on the “Browse” button and select our key log file named Wireshark-tutorial-KeysLogFile.txt, as shown in Figures 10, 11 and 12.\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/\r\nPage 6 of 11\n\nFigure 10. Finding the (Pre)-Master-Secret log filename field under TLS in Wireshark 3.x.\r\nFigure 11. Selecting our key log file for this tutorial.\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/\r\nPage 7 of 11\n\nFigure 12. Once the file has been selected as the (Pre)-Master-Secret log filename, click “OK.”\r\nHTTPS Traffic With the Key Log File\r\nOnce you have clicked “OK,” when using the basic filter, your Wireshark column display will list the decrypted\r\nHTTP requests under each of the HTTPS lines, as shown in Figure 13.\r\nFigure 13. HTTPS decryption in Wireshark after using the key log file.\r\nIn this pcap, we now see HTTP requests to microsoft.com and skype.com domains previously hidden in the\r\nHTTPS traffic. We also find the following traffic caused by the Dridex infection:\r\nfoodsgoodforliver[.]com - GET /invest_20.dll\r\n105711[.]com - POST /docs.php\r\nThe GET request to foodsgoodforliver[.]com returned a DLL file for Dridex. The POST requests to 105711[.]com\r\nare command and control (C2) traffic from the Dridex-infected Windows host.\r\nWe can review the traffic by following HTTP streams. Right-click on the line to select it, then left-click to bring\r\nup a menu to follow the HTTP stream. Figures 14 and 15 show following the HTTP stream for the HTTP GET\r\nrequest to foodsgoodforliver[.]com.\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/\r\nPage 8 of 11\n\nFigure 14. Following HTTP stream for the GET request to foodsgoodforliver[.]com.\r\nFigure 15. HTTP stream indicates an EXE or DLL returned from the server.\r\nSince we have the key log file for this traffic, we can now export this malware from the pcap. Use the menu path\r\nFile --\u003e Export Objects --\u003e HTTP to export this file from the pcap, as shown in Figure 16.\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/\r\nPage 9 of 11\n\nFigure 16. Exporting the malware binary returned from foodsgoodforliver[.]com.\r\nIf you are in a BSD, Linux or macOS environment, open a terminal window and use the\r\nfile\r\ncommand to confirm this is a DLL file. Then use\r\nshasum -a 256\r\nto get the SHA256 hash of the file, as shown in Figure 17.\r\nFigure 17. Getting the SHA256 hash of this malware in a Linux environment.\r\nThe SHA256 hash of this malware is:\r\n31cf42b2a7c5c558f44cfc67684cc344c17d4946d3a1e0b2cecb8eb58173cb2f\r\nIf you search for this hash online, you should find results from at least two publicly available online sandbox\r\nenvironments.\r\nFinally, we can review C2 traffic from this Dridex infection. Use your basic web filter, then follow an HTTP\r\nstream from one of the POST requests to 105711[.]com. An example from one of the HTTP streams is shown in\r\nFigure 18.\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/\r\nPage 10 of 11\n\nFigure 18. HTTP stream from one of the Dridex C2 POST requests.\r\nSource: https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/"
	],
	"report_names": [
		"wireshark-tutorial-decrypting-https-traffic"
	],
	"threat_actors": [],
	"ts_created_at": 1775434088,
	"ts_updated_at": 1775791241,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ffbe7c735f6dadad0500c6a520cd4c30c6184df6.pdf",
		"text": "https://archive.orkl.eu/ffbe7c735f6dadad0500c6a520cd4c30c6184df6.txt",
		"img": "https://archive.orkl.eu/ffbe7c735f6dadad0500c6a520cd4c30c6184df6.jpg"
	}
}