Exporting / saving decrypted data from wireshark

Elaborating on my previous post, “Decrypting https traffic with bluecoat reverse proxy” in support or troubleshooting situations most of the time the end client would not be willing to give up any private keys. This is of course understandable given the fact that this could lead to a security system compromise, which would necessitate a re-issuing of certificates which is no small feat. There is a simple yet little known way of exporting the decrypted data from wireshark into a text file. This text file will contain the decrypted information without disclosing the private keys to anyone.

1. Optional but will save a lot of work. After successful decryption, ask the client to right click on the stream of interest and “follow tcp stream” (assuming they can find the stream of interest)

retrieve1

2. Open the File menu > export > file

retrieve2

3. In the resulting dialogue box ensure to have something similar:

retrieve3

Note : by default “displayed” option is not selected, and “packet bytes” is not selected. Both should be selected to have a complete yet clean decrypted export.

The resulting txt file will show you the decrypted info without needing the private keys

retrieve4