I'm making a very minimalistic wireshark profile, so someone without much technical knowledge can get a quick overview of http and ssl/tls traffic ("non-technical" information).
Right now I have the following columns;
My question is, does the last filter (http.request.full_uri) always show the host that is also displayed with the http.host filter?
Or is/can there be a difference between: "http.host" and "http.request.full_uri"? Otherwise I can just use the full_uri filter without the separate host filter.
Is the filter "ssl.handshake.extensions_server_name" the only one that shows some 'understandable' information about encrypted traffic? And what exactly is the role of this server name and why is this not encrypted?
Any other ideas about filters that show this "low-level" information is also appreciated.
asked 12 Jul '16, 07:12
edited 12 Jul '16, 08:14
The http.request.full_uri field is the http.host field concatenated with the http.request.uri field, so yes, http.request.full_uri will always show the same host as the http.host field.
answered 12 Jul '16, 22:34