This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

SSL/HTTPS not being captured

0

Hello,

I have an iMac where i installed WireShark and i am filtering all HTTP traffic, but all i see is normal HTTP, i don't see any HTTPS. The same thing is happening in an Ubuntu installation.

Any idea what could be wrong?

alt text

Thanks

asked 29 Aug '16, 14:25

alexsmith's gravatar image

alexsmith
6224
accept rate: 0%

edited 29 Aug '16, 22:38

Can you take a picture of the filter you are using?

(29 Aug '16, 14:30) BruteForce

I uploaded the image.

(29 Aug '16, 22:38) alexsmith

2 Answers:

0

Your display filter "http" is only going to show http traffic from the capture - not filter it out. In order to filter it out you would have to do not http or negate it.

Looks like this....."!http" or you can spell it out "not http". This will show you all the remaining traffic, after http has been removed.

answered 30 Aug '16, 07:30

BruteForce's gravatar image

BruteForce
1203
accept rate: 9%

0

There is no protocol HTTPS, https is a URI scheme for http secure, see RFC 7230.

If you have captured HTTPS traffic, Wireshark will show TLS\SSL (as appropriate) as the protocol.

If you then supply the appropriate keying material to Wireshark, the traffic will be decrypted and show up as HTTP.

answered 30 Aug '16, 07:55

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Thank you for your answer, that helps, although it is not complete. How do i supply the appropriate keying material? What does that mean?

(02 Sep '16, 03:41) alexsmith

See the Wireshark Wiki page on SSL for info on how to add keys to Wireshark.

(02 Sep '16, 04:11) grahamb ♦

Thanks, that makes more sense now. Unfortunately, it is not working for me.. I followed all their steps and it is not working for me for some reason, it does not decrypt.. Please have a look at my video and let me know if you see anything wrong: http://screencast.com/t/tMM2KBqa (sorry about the background noise)

(07 Sep '16, 09:07) alexsmith

A video isn't much use, but the SSL debug log is. In the SSL preferences, where you added the key, there is a path to the file to be used for the SSL debug log. Set that accordingly, reload your capture, then edit your question with the debug log, using the "code" button to format it for easier reading.

(07 Sep '16, 09:26) grahamb ♦