Hello, I have an iMac where i installed WireShark and i am filtering all HTTP traffic, but all i see is normal HTTP, i don't see any HTTPS. The same thing is happening in an Ubuntu installation. Any idea what could be wrong?
Thanks asked 29 Aug '16, 14:25  alexsmith edited 29 Aug '16, 22:38 |
2 Answers:
Your display filter "http" is only going to show http traffic from the capture - not filter it out. In order to filter it out you would have to do not http or negate it. Looks like this....."!http" or you can spell it out "not http". This will show you all the remaining traffic, after http has been removed. answered 30 Aug '16, 07:30  BruteForce |
There is no protocol HTTPS, https is a URI scheme for http secure, see RFC 7230. If you have captured HTTPS traffic, Wireshark will show TLS\SSL (as appropriate) as the protocol. If you then supply the appropriate keying material to Wireshark, the traffic will be decrypted and show up as HTTP. answered 30 Aug '16, 07:55  grahamb ♦ Thank you for your answer, that helps, although it is not complete. How do i supply the appropriate keying material? What does that mean? (02 Sep '16, 03:41) alexsmith See the Wireshark Wiki page on SSL for info on how to add keys to Wireshark. (02 Sep '16, 04:11) grahamb ♦ Thanks, that makes more sense now. Unfortunately, it is not working for me.. I followed all their steps and it is not working for me for some reason, it does not decrypt.. Please have a look at my video and let me know if you see anything wrong: http://screencast.com/t/tMM2KBqa (sorry about the background noise) (07 Sep '16, 09:07) alexsmith A video isn't much use, but the SSL debug log is. In the SSL preferences, where you added the key, there is a path to the file to be used for the SSL debug log. Set that accordingly, reload your capture, then edit your question with the debug log, using the "code" button to format it for easier reading. (07 Sep '16, 09:26) grahamb ♦ |
Can you take a picture of the filter you are using?
I uploaded the image.