This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello,

I have an iMac where i installed WireShark and i am filtering all HTTP traffic, but all i see is normal HTTP, i don't see any HTTPS. The same thing is happening in an Ubuntu installation.

Any idea what could be wrong?

alt text

Thanks

asked 29 Aug '16, 14:25

alexsmith's gravatar image

alexsmith
6224
accept rate: 0%

edited 29 Aug '16, 22:38

Can you take a picture of the filter you are using?

(29 Aug '16, 14:30) BruteForce

I uploaded the image.

(29 Aug '16, 22:38) alexsmith

Your display filter "http" is only going to show http traffic from the capture - not filter it out. In order to filter it out you would have to do not http or negate it.

Looks like this....."!http" or you can spell it out "not http". This will show you all the remaining traffic, after http has been removed.

permanent link

answered 30 Aug '16, 07:30

BruteForce's gravatar image

BruteForce
1203
accept rate: 9%

There is no protocol HTTPS, https is a URI scheme for http secure, see RFC 7230.

If you have captured HTTPS traffic, Wireshark will show TLS\SSL (as appropriate) as the protocol.

If you then supply the appropriate keying material to Wireshark, the traffic will be decrypted and show up as HTTP.

permanent link

answered 30 Aug '16, 07:55

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Thank you for your answer, that helps, although it is not complete. How do i supply the appropriate keying material? What does that mean?

(02 Sep '16, 03:41) alexsmith

See the Wireshark Wiki page on SSL for info on how to add keys to Wireshark.

(02 Sep '16, 04:11) grahamb ♦

Thanks, that makes more sense now. Unfortunately, it is not working for me.. I followed all their steps and it is not working for me for some reason, it does not decrypt.. Please have a look at my video and let me know if you see anything wrong: http://screencast.com/t/tMM2KBqa (sorry about the background noise)

(07 Sep '16, 09:07) alexsmith

A video isn't much use, but the SSL debug log is. In the SSL preferences, where you added the key, there is a path to the file to be used for the SSL debug log. Set that accordingly, reload your capture, then edit your question with the debug log, using the "code" button to format it for easier reading.

(07 Sep '16, 09:26) grahamb ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×549
×319
×69

question asked: 29 Aug '16, 14:25

question was seen: 20,744 times

last updated: 07 Sep '16, 09:26

p​o​w​e​r​e​d by O​S​Q​A