This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Filter a password from a client that use a freemailprovider?

0

How can I for example filter a password from I client that is loging on www.hotmail.com? Which filter do I use?

asked 23 Oct '12, 04:58

marsal's gravatar image

marsal
1335
accept rate: 0%

what do you want to achieve?

(23 Oct '12, 05:37) Kurt Knochner ♦

No at the school we got the work,nothing illegal at all. The qestion is if that is possible to see or not (using Wireshark). I have got my virtual clients I have to log on my own Mail account and see if these informations are noticed and readable (to human eye) by Wireshark!? Thanks

(26 Oct '12, 01:35) marsal

One Answer:

1

You probably can't, simply because - even if you manage to capture the relevant packets - they'll be SSL encrypted. You can decrypt them if you get the SSL encryption keys, but my guess is that you're trying to take a peek at passwords that are not your own, so you can't.

answered 23 Oct '12, 05:04

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

No at the school we got the work,nothing illegal at all. The qestion is if that is possible to see or not (using Wireshark). I have got my virtual clients I have to log on my own Mail account and see if these informations are noticed and readable (to human eye) by Wireshark!? Thanks

(26 Oct '12, 01:35) marsal
1

yes if the protocol is unencrypted AND you are able to capture the packets (which can be tricky to do in switched networks). And no if the protocol is encrypted, like https or imap/s, smtp/s, pop3/s.

(26 Oct '12, 03:04) Jasper ♦♦

Can you tell me please which filter do I use?

(27 Oct '12, 00:24) marsal
1

It depends on the protocol used, but if it is HTTP (not HTTPS) you could filter on things like http.request.method=="POST" to see all data transfer requests that use the POST method (which is most common for forms being transmitted). Obviously, this won't work for encrypted HTTP.

After filtering on the POST requests you need to investigate if any of them contains password form details; usually this happens in one of the first posts since the login happens early in the process of receiving mails.

(27 Oct '12, 02:44) Jasper ♦♦

Thanks a lot!

(27 Oct '12, 04:59) marsal