Download session keys with packet captures
You can download PCAP Next Generation (pcapng) file that includes all captured TLS session keys and encrypted packets. You can then open the packet capture file in a tool such as Wireshark, which can apply the session keys and display the decrypted packets.
Before you begin
- You must have a configured packetstore or packet capture disk before you can download packets and session keys from a sensor or a console. See our deployment guides to get started.
- The console must be licensed for TLS Shared Secrets.
- The TLS Session Key Storage setting must be enabled on the sensor.
- RevealX Enterprise users must have either system access and administration privileges or limited privileges with packets and session keys access. RevealX 360 users must have packets and session keys access.
View the decrypted payload in Wireshark
- Start the Wireshark application.
- Open the downloaded packet capture (pcapng) file in Wireshark.
When an SSL-encrypted frame is selected, the Decrypted SSL tab appears at the bottom of the Wireshark window. Click the tab to see the decrypted information in the packet capture as plain text.
Thank you for your feedback. Can we contact you to ask follow up questions?