How can TLS traffic be decrypted using a pre-master secret log file in Wireshark?

The ability to decrypt TLS traffic in Wireshark comes from using the secrets the client writes during the handshake to recover the session keys. By directing the client to log its secrets into a file (via an environment variable such as SSLKEYLOGFILE or TLSKEYLOGFILE pointing to a path you choose), you capture the information Wireshark needs to reconstruct the symmetric keys used to encrypt the TLS records. Then, within Wireshark, you point TLS to that log file (through its preferences) so it can read the captured secrets and derive the session keys for each TLS session in your capture. Once those keys are derived, Wireshark can decrypt the payloads and show readable content for the TLS traffic corresponding to the sessions covered by the log. This approach relies on the client producing the secret log during the handshake, which is why simply installing a certificate or using a plugin won’t automatically decrypt the traffic. TLS decryption isn’t possible if no secrets are available from the client, and the log method is the standard, practical way to enable it for TLS 1.2 and earlier (TLS 1.3 has different keying behavior, so availability can vary).