This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is it possible to capture the host name of and for every HTTP request over TLS?

0

Let me try to explain what I would like to do with an example. I start a live capturing traffic over eth0 and what I would like to see is the host name for every HTTP request performed over TLS:

➜  ~ sudo tshark -i eth0 -T fields -e ssl.handshake.extensions_server_name -R ssl.handshake.extensions_server_name
tshark: Lua: Error during loading:
 [string "/usr/share/wireshark/init.lua"]:46: dofile has been disabled due to running Wireshark as superuser. See http://wiki.wireshark.org/CaptureSetup/CapturePrivileges for help in running Wireshark as an unprivileged user.
tshark: -R without -2 is deprecated. For single-pass filtering use -Y.
Running as user "root" and group "root". This could be dangerous.
Capturing on 'eth0'

Now I open Chromium in private mode and enter facebook.com - this is what gets captured:

www.facebook.com
fbstatic-a.akamaihd.net
fbstatic-a.akamaihd.net
fbstatic-a.akamaihd.net
fbstatic-a.akamaihd.net
fbcdn-static-b-a.akamaihd.net
fbcdn-static-b-a.akamaihd.net
fbcdn-static-b-a.akamaihd.net
fbcdn-static-b-a.akamaihd.net
fbcdn-static-b-a.akamaihd.net
10 clients1.google.com
fbcdn-static-b-a.akamaihd.net

But if I do a full refresh with [Ctrl]+[F5] nothing is added to that list. As I understand this is b/c what I capture is the host information communicated during the handshake which is not reperformed for a request to an already established TLS connection.

So my question would be - what would I have to filter for to basically get the host name for every single request over TLS?

I suspect this is not possible to be done by filtering b/c that information is not relayed for every request - but maybe there is an equivalent solution?

asked 25 Feb '16, 02:20

Raffael1984's gravatar image

Raffael1984
11336
accept rate: 0%

edited 25 Feb '16, 02:23

One Answer:

1

I suspect this is not possible to be done by filtering b/c that information is not relayed for every request

Unless the Ctrl F5 causes the browser to close an already established TLS session and open a new one, there is no TLS establishment phase, so no packet contains the ssl.handshake.extensions_server_name protocol field.

The http requests sent using an already established TLS-encrypted TCP session do contain the target url, but by the very principle of TLS:

  • you cannot see their contents unless you have enough information to decrypt the TLS,

  • they cannot be sent to any other host than the one to which the TLS session has been established.

Therefore:

  • if you are interested only in the list of hosts visited, you have to start capturing before the TLS session establishment to all of them, and you do not need anything else.

  • if you want to see the details of target urls of the individual http requests sent to each host, you still have to start capturing before the TLS session establishments to all the hosts, because otherwise you would not be able to decipher the TLS sessions and thus see the http requests in plaintext. See Q&A for https decryption on this site for details.

With decryption working properly, you can use http.host and http.request.uri fields the same way like the ssl.handshake.extensions_server_name.

answered 25 Feb '16, 03:27

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%