This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Scenario: iPad app with Analytics SDK installed. Data is coming in, reports are showing up with reasonable numbers. However I need to debug single requests Analytics is doing, to make sure, every information bit is send with the right info. Setup is a win7 machine with latest Wireshark. Ad Hoc network, where an iPad is dialing up to get WiFi access through my laptops connection. It works fine: with Wireshark filter http.request.full_uri contains "__utm.gif" I can easily see requests made in Safari Browser on the iPad. It shows up exactly as supposed, a simple HTTP request.

Now I start the app on the iPad and it is the one, reporting data to Analytics. However I can't find any filter to get to the packages, send by Analytics SDK. Now I also tested Fiddler (and Charles on Mac, too) as a Proxy, both tools show a SSL connection to www.google-analytics.com. However with no information about the tracking.

Do you have any hints how to set up a filter to see data transfer from the app, where Analytics is sending data to its servers?

asked 20 Sep '13, 01:14

Mischa's gravatar image

Mischa
1111
accept rate: 0%


both tools show a SSL connection to www.google-analytics.com. Do you have any hints how to set up a filter to see data transfer from the app,

if the traffic is encrypted, you cannot 'look' inside that connection with Wireshark, unless you are able to decrypt the conversation, which in turn is (almost) impossible, as you will have no access to the private keys of google.

The proposed way to use Fidler is the right way to proceed in your scenario. If Fiddler does not show anything, you need to tweak your Fiddler setup, however that's a thing you better discuss on a Fiddler forum.

Hint: There is a Fiddler plugin to generate PCAP files of the 'decrypted' conversation. You can use that capture file in Wireshark.

Regards
Kurt

permanent link

answered 20 Sep '13, 01:31

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thanks so much for reply! http://fiddler2.com/add-ons There is sadly no add on which mentions PCAP.

Its not the right place to ask about fiddler, but maybe somebody can help: I see this information in Fiddler: Host = tunnel to URI = ssl.google-analytics.com:443

I configured decryption of this request. However, the only thing to see is the GET / request with no information bout parameters, send within the request. There must be the artifacts somewhere? In plain HTTP its just a part of the URI. Is it kind of hidden inside this SSL request?

(20 Sep '13, 02:46) Mischa

Thanks so much for reply! http://fiddler2.com/add-ons There is sadly no add on which mentions PCAP.

here we go: http://fiddler2.com/fiddlercap

I configured decryption of this request. However, the only thing to see is the GET / request

Maybe your client on the iPad has problems with the intermediate certificate created by Fiddler and thus stops sending the "real" requests after some time.

(20 Sep '13, 04:02) Kurt Knochner ♦

The second comment seems correct. How can I make the iPad accept the intermediate certificated which is created by Fiddler? Any hint is very helpful. Thank you so far!

(20 Sep '13, 04:15) Mischa

How can I make the iPad accept the intermediate certificated which is created by Fiddler?

I have no idea ;-) Maybe you'll have to import the cert somewhere. google or the fancy guys in the apple store will tell you. Just ask for: iPad certificate management

Anyway: What is the application on the iPad? System browser, some app (which one)?

(20 Sep '13, 04:32) Kurt Knochner ♦

I fixed it :)

it's very easy: on the iPad open http://ipv4.fiddler:8888/ and install Fiddlers Certificate. Thats it.

More Info: http://fiddler2.com/documentation/Configure-Fiddler/Tasks/ConfigureForiOS

Thanks!

(20 Sep '13, 04:44) Mischa

@Mischa If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(20 Sep '13, 05:28) grahamb ♦
showing 5 of 6 show 1 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×16
×10
×5
×2

question asked: 20 Sep '13, 01:14

question was seen: 4,555 times

last updated: 20 Sep '13, 05:28

p​o​w​e​r​e​d by O​S​Q​A