Wireshark-users: Re: [Wireshark-users] How to save a decrypted SSL session in pcap

From: Sake Blok <sake@xxxxxxxxxx>
Date: Tue, 5 May 2009 20:11:03 +0200
On Tue, May 05, 2009 at 09:22:31AM -0700, Michael Ryerse wrote:
> 
>    I have a server's private key loaded to decrypt some SSL sessions with a
>    server.  I want to save this capture in pcap format so I can email the
>    decrypted form to someone else without needing to send them the private
>    key.  So far I have found that I can export to text.  However text is much
>    harder to browse through so I am looking for a format that saves
>    decrypted, but is loadable to Wireshark like a pcap is.  Any help is
>    appreciated.

The same request was made on bugzilla, have a look at bug 3444
(https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3444).

Short summary: there are ideas to save the master secret of each SSL
session so that these master keys can be provided together with the pcap
file. These keys will then be used to decrypt the sessions in the pcap
file at the receivers end without the need of the private key. Please
note that each SSL session is creating its own master secret, so these
master secrets will not be making it possible to decrypt other sessions.

Until this functionality has been developed, the best way is to supply
both the pcap file with unencrypted data in it and the export to text
with the decrypted output in it.

Cheers,
   Sake