Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Dhruvin_patel
Staff
Staff

Created on ‎11-12-2023 10:14 PM Edited on ‎01-05-2026 02:31 AM By Community Manager

Article Id 283963

Technical Tip: Decrypt HTTPS traffic with Wireshark

Description This article describes how to decrypt the HTTPS traffic on the client using Wireshark. While using virtual servers on FortiGate, it is sometimes necessary to decrypt the traffic on the client end to isolate the issue further.
Scope Windows Client, FortiGate.
Solution
  1. Ensure that the client has the necessary permissions to capture the traffic and has Wireshark installed on the client's Windows machine to capture the traffic.

  2. Capture the client side of the session key.

  3. Close Chrome completely, and make sure all the instances are closed. Verify from the task manager that all the instances are closed.

  4. Open Control Panel -> User Accounts -> User Accounts. On the left, 'Change my environment variables.', Select 'New' on the user variables section.
 

                                 2025-07-08 10_51_11-New User Variable.png

 

Variable name: SSLKEYLOGFILE.
Variable value: %USERPROFILE%\Desktop\sslkey.log.

 

2.png

 

  1. Start Wireshark, and start capturing packets on the Internet interface.
  2. Open Chrome and verify that the sslkey.log file has been created.

 

3.png

 

  1. Open the website to decrypt. In this example, it is tested with the website '123.net'.
  2. Verify that the packets are being captured on Wireshark.

 

4.png

 

  1. On Wireshark, go to Edit -> Preferences -> Protocols, and select TLS. Under (Pre)-Master-Secret log filename, select the sslkey.log file from the PC where it has been stored, and then select 'OK'.

 

4.png

 

  1. The decrypted packet is now observed in Wireshark.

 

5.PNG

 

6.PNG

 

The steps may change when Windows or Chrome gets updated.

The same steps should be valid for other internet browsers like Firefox.

 

Setting SSLKEYLOGFILE as a User Environment Variable causes all applications that support SSLKEYLOGFILE to log TLS keys if they are started after the variable is set, regardless of whether they are launched via GUI or CLI. This caused unnecessary SSL key logging and may be a security concern.

 

An alternative to this is the CLI-scoped method. Logs TLS session keys only for applications started from a particular CMD CLI.

 

Go to Windows CMD CLI :

 

  1. Make a folder for logging SSL keys 

 

> mkdir C:\chromeTLS 
             

  1. Set the SSLKEYLOGFILE to the file path where the keys will be logged. The SSLKEYLOGFILE setting is local to this CMD window.


> set SSLKEYLOGFILE=C:\chromeTLS \tls_keys.log

 

  1. Verify the SSLKEYLOGFILE location.


> echo %SSLKEYLOGFILE%

 

  1. Launch Chrome or any other browser from this CMD window.


> "C:\Program Files\Google\Chrome\Application\chrome.exe"

 

  1. The TLS keys for the HTTPS traffic in this particular browser instance will be logged to tls_keys.log. A browser launched from the Start Menu or taskbar will not log keys. TLS keys for other browsers/applications will not be logged.

     

  2. Use the same method described earlier in the KB article to import the TLS keys (tls_keys.log) in Wireshark to decrypt the traffic.
7025
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.