This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Unencrypted http protocol over encrypted port

0

So I just started using Wireshark and started the capture on my own computer. A few packets that catch my attention include http protocol. It seems to me as if my computer is attempting to logon somewhere with my email address but fails. Below is the TCP Stream and I replaced my email address with x's. If anybody as any idea on how I can identify what is the source of this on my computer, I would very much appreciate it.

GET /sub?cname=xxx%40xxx.com_browsers&seq=1&st=6114460300580000 HTTP/1.1 Host: 72.26.124.29:443 Connection: Close

HTTP/1.1 200 OK Server: evsnotify Content-Type: text/javascript; charset=utf-8 Date: Tue, 19 Apr 2016 14:50:22 GMT Content-Length: 37 Connection: close

{"type":"user authentication failed"}

asked 19 Apr '16, 09:41

chuyrod's gravatar image

chuyrod
6112
accept rate: 0%


One Answer:

0

If anybody as any idea on how I can identify what is the source of this on my computer, I would very much appreciate it.

Run Microsoft Network Monitor. They abandoned it, but it should be downloadable. It will show you the PID of the process that sends certain data.´

BTW: That behavior looks strange!

Regards
Kurt

answered 19 Apr '16, 13:25

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thanks for the tip. I opened Resource Monitor and found under the Network Activity section that the id_service.exe from iDrive has a connection to the ip address above. Now i know what process is triggering this traffice, but I'm still confused because I would think the ip address would be iDrive's ip address. I also did another capture and still get the same results even after logging into the idrive website for my account. I'll keep digging.

Thanks again for the tip.

Jesse

(20 Apr '16, 08:17) chuyrod

I converted your answer to a comment. Please follow-up with comments instead of answers (see FAQ).

but I'm still confused because I would think the ip address would be iDrive's ip address.

What should confuse you even more is the fact that they send your data over an unencrypted connection. Strange enough that they are using the HTTPS port (443). Who knows what else they send (password, backup data) in other unencrypted connections?

I suggest to contact their support and ask them what the heck this is all about ;-)

You can direct them to your post. 'Publicity' sometimes helps to speed up things :-)

Regards
Kurt

(20 Apr '16, 09:14) Kurt Knochner ♦