Decrypting WebPageTest HTTPS Packets With Wireshark

28 November 2022
#webpagetest #wireshark

The first thing I reach for to find out what is happening when a page loads is WebPageTest. There are times where even the detail that it provides is not enough, where I need to know what is happening at the network packet level. The problem is that more often than not the network packets are encrypted, in large part because of the increased use of HTTP/2. Fortunately WebPageTest makes it easy to both capture the packets for a test and provide the data needed to decrypt them.

Below are my notes on how to capture WebPageTest test packets and decrypt them in Wireshark.

You can use the WebPageTest results I used for this post at https://www.webpagetest.org/result/221122_BiDc56_3TF/. I've also got copies of the tcpdump file and TLS Key Log for use after the WebPageTest archive expires.

WebPageTest

There is one checkbox that needs to be set to tell WebPageTest to save the network packets for the test: Capture network packet trace (tcpdump) - under the Advanced Configuration section, on the Advanced tab.

WebPageTest - "Capture network packet trace (tcpdump)" option

When the test is complete there are two download links under the Individual Runs section that we need: tcpdump and TLS Key Log.

WebPageTest - tcpdump and TLS key log

After those are have been downloaded we move over to Wireshark.

Wireshark

In Wireshark open the tcpdump file, in the example test I linked to above it is 1.cap. Scrolling through the list of packets you will see several with a Protocol label of TLS1.3 and an Info label of Application Data. Wireshark knows that these are TLS encrypted packets, but can't see what is inside them - that is the whole point after all.

Next we will tell Wireshark about the TLS Key Log, this provides the details that it needs in order to decrypt the packets. Here is what that looks like in Wireshark 4.0.1. Select one of the TLS1.3 - Application Data packets and right click on it. In the popup menu goto Protocol Preferences → Transport Layer Security → (Pre)-Master-Secret log filename.

That will open up a small section above the packet list where you can point it to the TLS Key Log that you downloaded from WebPageTest.

Wireshark - TLS master secret file

With that in place Wireshark can now decrypt the TLS packets and parse the HTTP/2 level data. Scrolling through the packet list you will now see green highlighted HTTP2 protocol packets.

In my example packet 37 is the one that contains the initial GET request. Wireshark is able to show the HTTP/2 frame, decrypted TLS, and decompressed versions of that packet. Because it understands HTTP it also parses that for easy reference.

Wireshark - GET request

That is all it takes to get access to the unencrypted network packets of a WebPageTest result. From here you can explore each step from the network point of view.

Here are a few examples, with packet numbers based on the example WebPageTest result I linked to at the top.

Packet 1: first network packet is a DNS request
Packet 34: contains the first SETTINGS and WINDOW_UPDATE data
Packet 40: has the HTTP response headers for the first request
Packet 61: includes the HTML text

If timing is something you are trying to pin down, you can go from millisecond to microsecond level precision. In Wireshark go to View → Time Display Format → Microseconds.

Being able to step through the whole process packet by packet is a powerful option. The combination of WebPageTest and Wireshark makes it easy to collect and browse through the decrypted packet stream.

When in doubt, look at what went over the network, in detail.