I am monitoring one website that as far I know refreshes data on page through ajax queries. At least I do not see the data inside the page source (html) but I see the data that I need to capture and analyze for example in Chrome browser: -> Developer tools -> Network -> XHR -> pick/click one ajax-link that appears to the list -> response Chrome developer tools setting Log XMLHttpRequest must be checked. How can I see it in wireshark or better in tshark (so I push it to the text file)? asked 26 Jun '13, 13:49  ristop |
One Answer:
The request could be encrypted or scrambled (via javascript) or compressed and that's the reason why you cannot identify the requests in Wireshark. Is if possible to post a sample capture somewhere (google docs, dropbox, etc.)? Regards answered 26 Jun '13, 16:47  Kurt Knochner ♦ |
I post my comment as answer because comment is classified as spam.
Thanks for you quick answer. I updated the captured file to https://docs.google.com/file/d/0B84i2-8sFHT1WllJRVNEMVRzNW8/edit?usp=sharing
I captured data with filter ip.addr = <site_ip_address>. I hope it is correct because I can't read it in Wireshark window. It should look like html with line breaks (\n).
There are a lot of TCP connections. Only a few are to external addresses and most connections a SSL/TLS. As I don't know the address of your server (please add that information) and there is no HTTP protocol on those connections (on ports other than 80,443), I guess your ajax connection uses SSL/TLS and that's why you cannot see anything in Wireshark. If the destination server is your own and you have access to the private key of the server, you can decrypt the communication in Wireshark. Otherwise, you will have to use already mentions tools within the browser, as those tools will see the unencrypted communication.
Another option is to use a HTTP proxy with SSL/TLS interception (google for fiddler2, or similar tools).
Maybe the Ip.addr filter was not correct and data that I am interested in was transferred through other IP addresses. What I did was: - opened https://tonybet.com/live_events in Chrome browser - on the top of the page clicked "Bet type filter" and checked all types - opened wireshark and started to capture IP aadress 92.61.38.58 (ip.addr="92.61.38.58")
Depending on chenging frequency the data is updated in every 1-10 seconds. In Chrome Developer tools -> Netweork -> XHR -> Response the data looks like (this is only fragment):
table class=\"events singleRow capsTable pushedLeft capsTableDouble running-live\">\n tr>\n td class=\"sepThin\"> /td>\n td class=\"toSlip\">\n a class=\"price\" href=\"#\" data-event-odd-id=\"7913362\" id=\"event_odd_id_7913362\">\n span>6.50/span>\n Total UNDER\n em class=\"var purple\"> 1.5/em>\n /a>\n /td>\n\n\n td class=\"toSlip\">\n a class=\"price\" href=\"#\" data-event-odd-id=\"7913361\" id=\"event_odd_id_7913361\">\n span>1.08/span>\n