Decrypt Data


Tshark Decryption for Kerberos, TLS, and 802.11
2 min |  Ross Jacobs |  April 4, 2019

Table of Contents

Quicklinks: Wireshark Decrypt: 802.11 | TLS | ESP | WireGuard | Kerberos
Articles Decrypt: SNMP

There are many protocols that can be decrypted in Wireshark:


Kerberos is a network authentication protocol that can be decrypted with Wireshark. Use this guide to generate a keytab file. To use this keytab file for decryption:

tshark -r /path/to/file -K /path/to/keytab


TLS decryption, for the most part, is setting the $SSLKEYLOGFILE to the destination file of your choice and hoping that your application reads this environmental variable.

To my knowledge, these applications support it:


If your application supports the $SSLKEYLOGFILE variable, please create an issue.

TLS 1.2 Decryption

TLS 1.2 decryption has been with Wireshark since October 2017 with v2.4.2. Multiple articles exist that document this feature. This guide features a larger article on Exporting files with TLS.

TLS 1.3 Decryption

TLS 1.3 is the next iteration after industry standard 1.2, with 1.3 adopted by most browsers at this point. TLS decryption is currently broken (bug 15537) when certificate message spans multiple records. In my testing, some javascript files (and other small files) get decrypted, but no html or css files.

WPA2 Decryption

This section is possible due to the amazing content at, by Rasika Nayanajith. If you want to get better with 802.11, start your journey here.

1. Get your capture

# Get a sample.pcap
curl $pcap_url | tar -xzv

2. Decrypt

Set the values of vars to whatever they are in your case.


tshark -r $infile -w $outfile \
       -o wlan.enable_decryption:TRUE \
       -o "uat:80211_keys:\"wpa-pwd\",\"${psk}:${ssid}\""

We can now send the result to a colleague who will not need to know the SSID/PSK.

3. Analyze

Let’s pretend we care about TCP resets in the decrypted traffic. We can check for it with tcp.connection.rst with output that should look something like:

bash-5.0$ tshark -r decrypted.pcap -Y "tcp.connection.rst"
  487  38.407227 → TCP 112 20001091 [RST, ACK] 
    Seq=1 Ack=1 Win=0 Len=0
  626  41.687352 → TCP 112 20001092 [RST, ACK] 
    Seq=1 Ack=1 Win=0 Len=0
  1226  52.758103 → TCP 112 20001093 [RST, ACK
    Seq=1 Ack=1 Win=0 Len=0

WPA2 In Summary

Wireshark Equivalent

WPA3 Decryption

WPA3 decryption support in Wireshark is still in development.