Browse Docs

Getting SSL decrypted capture for troubleshooting

To support path-based filtering rules and user-specific consents, the DefensX Agent includes a DNS-over-HTTPS (DoH) module. When the DefensX extension is installed in a supported browser, DNS queries are also sent from the browser to the local DoH module instead of using standard DNS protocols.

In advanced troubleshooting scenarios, it may be necessary to capture both the encrypted DoH queries sent by the browser and the underlying UDP/TCP DNS queries. This guide explains how to perform a Wireshark capture with SSL session keys, allowing you to decrypt TLS traffic and inspect DNS queries and responses in plain text.

Installing the Wireshark

Wireshark is a widely used, free, and open-source network protocol analyzer that captures and inspects packets in real time. It provides detailed views of network traffic across various protocols, making it ideal for troubleshooting and security analysis.

If Wireshark is not already installed, you can download it from https://www.wireshark.org. During installation, you can proceed with the default options, no special configuration is required.

Enabling TLS Decryption via SSLKEYLOGFILE

To decrypt TLS traffic, Chromium-based browsers (e.g., Chrome, Edge) and Firefox support exporting session keys via a special environment variable named SSLKEYLOGFILE. When this variable is set, supported browsers will write the (pre-)master keys for all TLS sessions, including DoH, to the specified file.

Important
 Setting this variable enables logging for all TLS sessions in the browser while it’s running. If you wish to avoid capturing regular HTTPS traffic (e.g., port 443), you can apply a capture filter like not port 443 as explained later.

To create the variable, follow these steps:

  • Right-click on the Start button and select "System." Click on "Advanced system settings" on the left side of the System window.

  • In the System Properties window, click on the "Advanced" tab.

  • Click the "Environment Variables…​" button at the bottom of the window.

  • In the User Variables section (top), click on the "New…​" Button.

  • Enter the variable name as SSLKEYLOGFILE in the "Variable name" field.

  • Click the “Browse Directory” and select the directory first, then append the filename for the "Variable value" field. E.g. C:\Users\john\Documents\ssl.txt

  • Click the "OK" button to save the new user variable. And close the windows by clicking “OK” button.

env1

Configure Wireshark to Use the Key Log File

Optional

This step is only needed if you want to view decrypted TLS traffic directly in Wireshark. It’s not required if you’re only collecting the capture for DefensX support.

  • Open Wireshark and go to Edit → Preferences.

  • Expand Protocols and scroll down to TLS.

  • Set the (Pre)-Master-Secret log filename to the path you used for SSLKEYLOGFILE (e.g., C:\Users\john\Documents\ssl.txt).

  • Click OK.

wireshark1

Starting the capture

  • Launch Wireshark and go to Capture → Options.

  • In the Input section, select all network interfaces except "Event Tracing for Windows". Hold CTRL to select multiple.

  • (Optional) To exclude regular HTTPS traffic, enter not port 443 in the Capture filter field.

  • Click Start to begin capturing.

wireshark2

  • Now a live capturing session should be started and you should see the Wireshark screen as the example below.

wireshark3

  • At this step, you need to restart the browser you would like to get a capture because the variable name SSLKEYLOGFILE is only checked on browser startup.

  • For Chrome, you can just close the browser and open it again.

  • For Edge, type edge://restart in the address bar to fully restart it, as it may stay running in the background.

  • Now browse a few websites or reproduce the issue to generate TLS and DoH traffic.

  • When done, click the red Stop icon in Wireshark.

Saving the capture

  • Go to File → Save As.

  • Choose a filename and location.

  • Under Compression, select Compress with gzip to reduce the file size.

  • Save the .pcapng.gz file.

  • Send both the saved packet capture file and the key log file (ssl.txt) to DefensX support for analysis.

Cleaning up

Once the capture is complete, you can remove the environment variable:

  • Follow the same steps under Setting the Environment Variable.

  • Select the SSLKEYLOGFILE variable and click Delete.

  • Click OK to save and close.

Tip
 If you may need this setup again later, consider renaming the variable (e.g., _SSLKEYLOGFILE). When needed, just remove the underscore to reactivate it.