TLS Inspection

Most programs will use TLS to encrypt their HTTP requests to remote servers, so in Wireshark you'd be unable to view the actual data apart from some TLS metadata.

If the application supports dumping TLS secrets via SSLKEYLOGFILE, then you can instruct wireshark to use this file to decrypt the TLS communcation.

Specifying the keylogfile in wireshark

Navigate to the TLS submenu via:

Edit -> Preferences -> Protocols -> TLS

Then in the (Pre)-Master-Secret log filename, put the path to the keylogfile, e.g. /tmp/sslkeylogfile.txt

Inspecting Node.JS traffic

Node.JS supports dumping TLS secrets via the --tls-keylog parameter.

To set it as an environment variable, you can do:

export NODE_OPTIONS="--tls-keylog=/tmp/sslkeylogfile.txt"

If a node application then makes a TLS connection using the native TLS libraries in Node.JS, it will log the secrets to the specified file to be inspected via Wireshark.

cURL

cURL respects the SSLKEYLOGFILE environment variable.

So you can just set it to something like

export SSLKEYLOGFILE=/tmp/sslkeylogfile.txt

and then run cURL commands.

Inspecting Chromium

A good way to dump all TLS traffic from chromium, especially useful when trying to debug meta-requests (like DoH), or if there are devtools detectors, is the following:

chromium --ssl-key-log-file=/tmp/sslkeylogfile.txt --disable-http2 --disable-quic

Disabling HTTP/2 & QUIC can make the requests a bit more readable in Wireshark

MiTMing Chromium

In some cases it can be useful to MiTM Chromium instead to be able to change the req/res, especially to control some FE behavior (and when JS debugging is too tedious / unecessary).

Launch mitmproxy , and then launc chromium via:

chromium --proxy-server=http://127.0.0.1:8080 --ignore-certificate-errors

Now in the mitmweb interface we can intercept and modify requests & responses!

tech-notes