Inspect 2-way authentication with Tcpdump and Wireshark

At work, I run an Nginx server that is configured for 2-way authentication. The following are notes that I took to show how to use Wireshark to inspect the tcp stream of encrypted traffic.

Convert certificates to .p12

First, we need to have both client and server certificates. With Wireshark it is preferred that we have PKCS12 format files so we need to convert our certificates to that format. The client in this case is a Tomcat server but sometimes a JMeter client which is used for testing.

To convert a JKS file to PKCS12 format:

$ keytool -importkeystore -srckeystore client.jks \
> -srcstorepass weblogic \
> -destkeystore client.p12 \
> -deststorepass weblogic \
> -srcalias client \
> -deststoretype pkcs12

To convert a PEM file to PKCS12 format:

$ openssl pkcs12 -export -out server.p12 \
> -inkey server.key \
> -in server.pem \
> -certfile server-cacert.pem 

Form the tcpdump command

In my environment, the backend server is behind an AWS Elastic Load Balancer so we need to find the IP addresses of the ELB:

$ host has address has address

Use the ELB IP addresses to form the tcpdump command:

$ sudo tcpdump -i any -s0 -w output.pcap host or

If you want to be specific about the port then a more advanced command:

$ sudo tcpdump -i any -s0 -w output.pcap \
> '(host or and port 443'

Sending the request

To properly capture 2-way authentication and be able to decrypt the tcp stream in Wireshark, the traffic must be encrypted with RSA. Traffic encrypted with any version of Diffie-Hellman will not work.

On the server, list the available ciphers and narrow down to the relevant ones that will work for Wireshark inspecting:

$ openssl ciphers | tr ':' '\n' | grep AES | egrep -v 'DH|PSK'

With the listed ciphers from the server, form the curl request and specify a compatible cipher:

$ curl -v --tlsv1.2 --cipher rsa_aes_128_sha --cert client.p12:weblogic \

Unfortunately, if you are on a Mac, the curl request will not work. Since Mavericks, the Transport Security Layer disables the ignores the option to set the cipher suite.1 In my case, I was able to restrict the encryption to RSA by setting the Nginx server configuration:

ssl_ciphers RSA;

After setting the Nginx server to only accept RSA encryption, I could send requests from JMeter with no issue or further configuration.

Inspect with Wireshark

Finally, once the pcap file has been created which captures the traffic sent from curl or JMeter, open it in Wireshark. Open the Wireshark preferences and select SSL from the protocol list. Select “Edit…” for the RSA Key List and add both the client certificate and the server certificate that we generated earlier in this tutorial. Afterward, you should now be able to see the unencrypted traffic. If you right-click and select “Follow > SSL Stream”, then you should see the requests made in clear text including header values and body data.