How to Capture and Decrypt HTTPS Traffic with tcpdump and Wireshark

A reader attempted to capture packets for baidu.com using ping and tcpdump, but could not see any HTTP host information because the site uses HTTPS, which encrypts the HTTP layer.

Why the packets were not captured

HTTPS encrypts the HTTP payload, so a Wireshark filter such as http.host == "baidu.com" matches nothing. Only fields that remain in clear text, like TLS extensions, can be filtered.

Filtering by TLS Server Name Indication (SNI)

During the TLS Client Hello the server_name extension carries the target hostname. Wireshark can locate the relevant packets with:

tls.handshake.extensions_server_name == "baidu.com"

Decrypting the HTTPS traffic

Resolve the IP address of baidu.com (e.g., 39.156.66.10) and capture traffic targeting that host: tcpdump -i eth0 host 39.156.66.10 -w baidu.pcap Export the TLS secrets by setting the environment variable SSLKEYLOGFILE to a writable file:

export SSLKEYLOGFILE=/Users/xiaobaidebug/ssl.key

Issue an HTTPS request (e.g., with curl or Chrome). The TLS library will write the pre‑master secrets to the file specified above:

curl 'https://baidu.com'
# or on macOS
open -a Google\ Chrome https://baidu.com

In Wireshark open Preferences → Protocols → TLS and set the "(Pre)-Master‑Secret log filename" to the path of the ssl.key file. After applying, previously encrypted packets are decrypted and can be inspected.

HTTPS handshake overview

HTTPS runs over TLS 1.2 (or later) and consists of two phases:

Phase 1 – TLS handshake (asymmetric encryption) : client and server exchange random values and the client’s pre‑master secret, which is encrypted with the server’s public key.

Phase 2 – Record layer (symmetric encryption) : both sides derive a session key from the client random, server random and pre‑master secret, then use it to encrypt all application data.

The four handshake messages are: Client Hello: lists supported TLS versions, cipher suites, and includes a client_random. Server Hello: returns a server_random, the selected cipher suite, and the server certificate. Client Key Exchange: sends the pre‑master secret encrypted with the server’s public key, followed by Change Cipher Spec and an encrypted Finished message. Server Change Cipher Spec and encrypted Finished message.

Obtaining the pre‑master secret

The ssl.key file generated by the TLS library contains lines of the form:

CLIENT_RANDOM <code>client_random</code> <code>pre_master_key</code>

Wireshark extracts the client_random from the first Client Hello packet, finds the matching line in ssl.key, and uses the associated pre_master_key to compute the session key and decrypt the traffic.

Key points

HTTPS encrypts HTTP‑level fields, making http.host filters ineffective.

Use the TLS SNI filter tls.handshake.extensions_server_name == "baidu.com" to locate the relevant packets.

Set SSLKEYLOGFILE before running a TLS‑enabled client (e.g., curl, Chrome) to obtain a file containing client_random and pre_master_key.

Configure Wireshark with the generated ssl.key file; Wireshark will match the client_random to the appropriate pre_master_key and decrypt the captured TLS traffic.

Understanding the TLS handshake (client random, server random, pre‑master secret) is essential for successful decryption.