Server-side SSLKEYLOG generation for further analysis in Wireshark
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
examples initial commit Nov 17, 2018
scripts rm unused Nov 21, 2018
src cosmetic Nov 17, 2018
test initial commit Nov 17, 2018
.gitignore fix build/ Nov 23, 2018
.travis.yml add npm publish Nov 23, 2018 add changelog Nov 23, 2018
LICENSE Initial commit Nov 17, 2018 make npm smaller - use jsdelivr cdn for images Nov 23, 2018
binding.gyp initial commit Nov 17, 2018
index.js fix filename Nov 17, 2018
package.json make npm smaller - use file whitelist Nov 23, 2018
wireshark.png initial commit Nov 17, 2018


Build Status


sslkeylog is a Node.js module for generating server-side SSLKEYLOG, which can be used later by Wireshark to decrypt SSL connections. This method works with any TLS cipher suite including elliptic curves crypto.

Further reading about SSLKEYLOG:


Node.js v10+ is required. Tested on v10 (LTS) and v11 (CURRENT), OS X and Linux.

To use in your project, install as usual:

$ npm install sslkeylog

...or add to package.json and use npm/yarn to do the work.

For dev environment, clone the repository first:

$ git clone
$ cd node-sslkeylog
$ npm install
$ cd examples


When you have connected TLSSocket, you may call get_sesion_key() to get session key for this connection:

let server = https.createServer({key, cert});
server.on('secureConnection', tls_socket=>{
    const {client_random, master_key} = sslkeylog.get_session_key(tls_socket);
    const hex1 = client_random.toString('hex');
    const hex2 = master_key.toString('hex');
    fs.appendFileSync('/tmp/sslkeylog.txt', `CLIENT_RANDOM ${hex1} ${hex2}\n`);

Or just use set_log() and update_log() to do exactly the same:

server = https.createServer({key, cert});
server.on('secureConnection', sslkeylog.update_log);


Clone the repository, build with npm install and go to examples/ subdir. Open few terminal tabs or tmux/screen windows.

  1. 1st terminal: make server (starts https server on port 8000)
  2. 2nd terminal: make capture (starts tcpdump on loopback-interface, port 8000)
  3. 3rd terminal: make req (curl https://localhost:8000)
  4. Stop https server and tcpdump.

Now you have sslkeylog.txt (written by https server) and test.pcap (written by tcpdump).

Open test.pcap in Wireshark, right-click on any TLS packet, choose Protocol Preferences → Open Secure Sockets Layer Preferences → (Pre)-Master-Secret log filename and fill full path to to sslkeylog.txt

Now you can see decrypted packets:

wireshark screenshot


  • windows support?


Not tested on production, use at your own risk. Issues/PRs are welcome.