This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to log https headers

0

When I visit websites that show yahoo ads, I see a header like this (via live http header).

https://syndication.streamads.yahoo.com/na_stream_brewer/brew/v2?cid=ee289520-a939-3954-a2e6-5155cf227564&url=http%3A%2F%2Fwww.vox.com%2F2016%2F1%2F15%2F10774204%2Fwinners-losers-republican-debate-charleston-fox-business%2Fin%2F10531817&v=b5896bc&rid=addcceb1-d5c6-47ad-9203-3bd599a15a9a&pvid=1d625dc0-62a6-4a05-a440-a0fd8b913b19&mode=i&fill=true&tti=889&tts=262&canonical=http%3A%2F%2Fwww.vox.com%2F2016%2F1%2F15%2F10774204%2Fwinners-losers-republican-debate-charleston-fox-business&secured=true&callback=YADJSONPCallbacks.receiveCallback_1452838710074

GET /na_stream_brewer/brew/v2?cid=ee289520-a939-3954-a2e6-5155cf227564&url=http%3A%2F%2Fwww.vox.com%2F2016%2F1%2F15%2F10774204%2Fwinners-losers-republican-debate-charleston-fox-business%2Fin%2F10531817&v=b5896bc&rid=addcceb1-d5c6-47ad-9203-3bd599a15a9a&pvid=1d625dc0-62a6-4a05-a440-a0fd8b913b19&mode=i&fill=true&tti=889&tts=262&canonical=http%3A%2F%2Fwww.vox.com%2F2016%2F1%2F15%2F10774204%2Fwinners-losers-republican-debate-charleston-fox-business&secured=true&callback=YADJSONPCallbacks.receiveCallback_1452838710074 HTTP/1.1 Host: syndication.streamads.yahoo.com User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://s.yimg.com/uq/syndication/yad-iframe.b5896bc.html Cookie: B=1rg7cvhb9grj9&b=3&s=58 Connection: keep-alive

I would like to capture the above header data via wireshark but I am unable to do that. Here are my settings.

  1. Capture filter none
  2. Display filter - http contains “yahoo”, http contains “syndication” etc.

However, when I use any of these filters, I don’t get any results. What am I doing wrong?

asked 15 Jan ‘16, 00:33

hvs's gravatar image

hvs
6446
accept rate: 0%


One Answer:

1

While http contains "text" is a valid filter, I'm afraid you have to feed Wireshark with the information it needs to be able to decrypt the https, in order to get to the plaintext http contents. You should find all what you need to do that here.

answered 15 Jan '16, 03:23

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

But don't I need a private key for the SSL certificate for this? I don't currently have that. As you can see in my example that the server is making call to yahoo to show the advertisement. I don't have private key for the yahoo SSL certificate. Perhaps, my understanding is incorrect here.

All I want to do is capture the header that is visible in firefox via live http header plugin. I am assuming that browser is encrypting the header and when it is intercepted by wireshark, it is all encrypted. So how to decrypt without the private key?

Thanks.

(16 Jan '16, 00:55) hvs

The very idea of encryption is that a third party would be unable to see the contents of the communication. The complete http contents including headers is encrypted, not just the payload. Hence,

All I want to do is capture the header

requires use of the same tools as

all I want to do is see the complete contents of the encrypted communication

The plugin to firefox has access to the plaintext contents before the browser encrypts the request/after the browser decrypts the response.

When you capture the encrypted traffic, you effectively act as a third party, because this is what anyone along the path between the browser and the server can do. When you analyse traffic which you were involved to, either as the owner/administrator of the server or as the user of the browser, you possess a couple of bits of information which a real third party lacks: the keys.

  • as a server administrator, you have access to the private key of the server

  • as an end user (or the administrator of end user's equipment), you have access to the keylog file of the browser, which contains the actual keys used to encrypt the traffic.

If you are none of the two (i.e. you are really a third party with regard to the particular encrypted communication you are interested in), and you don't happen to work for NSA, it is time to give up.

If you want to see which of the web pages you've visited yourself (or someone else did using your PC): on the original link I gave, you can find a link to a step-by-step procedure how to make your browser log the session keys and how to use the contents of this file by Wireshark to decrypt the captured https sessions.

(16 Jan '16, 01:58) sindy

OK, thanks. I figured it out. I set the env variable SSLKEYLOG on my system and started collecting the keys in the text file which the variable was pointing to. After setting up the wireshark to read the file, I can see the decrypted headers.

(16 Jan '16, 12:55) hvs

@hvs, you should have marked the answer of @sindy as accepted, not posting a comment as answer and accepting it. I revoked the checkmark, converted to a comment and checked the correct answer instead.

(16 Jan '16, 19:21) Jasper ♦♦