This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Dear all

I want to check the URLs, which are opened from inside my private network in order to check if anything is requested that shouldn't be. As some of the URLs seem to be opened via https, tcpdump comes afaik to its limits. A google search led me to WireShark and the recommendation to analyze the dump file.

However, when I open that file I get some information about packets, including source and destination IPs. For whatever reason, resolving the host names does not work. I already enabled external name resolving, but nothing changes. Even if I would get host names, I am not sure that this would include the specific URLs.

Could you be so kind and help me out? I am not that much into these technical details, so that I do not understand every further recommendation from the net.

Best regards

asked 01 May '17, 07:05

HabakukTibatong's gravatar image

HabakukTibatong
6113
accept rate: 0%


Unless you have the pre-master session key you won't be able to decrypt HTTPS traffic. Therefore to getting the URLs of HTTPS traffic will not be feasible for you.

To get the hosts of HTTPS URLs you can use the servername extension of the TLS handshake (display filter: ssl.handshake.extensions_server_name).

For HTTP traffic to get the full URL use the display filter http.request.full_uri.

permanent link

answered 01 May '17, 10:53

Uli's gravatar image

Uli
9031515
accept rate: 29%

Thanks. About that pre-master session key: Can I get that when I have direct access to the device on my network, which is establishing a https connection? If yes, is this some kine of stable key that I can just export?

About http.request.full_uri: I do not really understand how to use that, as you said before that I won't be able to get the URLs.

Either way, thanks for your reply.

(01 May '17, 11:38) HabakukTibatong

For HTTP (unencrypted) traffic http.request.full_uri lists the value of a HTTP request.

To the get the pre-master key, keyword to search for is 'SSLKEYLOGFILE' (e.g. here or on Google).

(01 May '17, 12:02) Uli

Thanks, I will try that.

(02 May '17, 09:44) HabakukTibatong
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×319
×69
×29
×13
×1

question asked: 01 May '17, 07:05

question was seen: 2,476 times

last updated: 02 May '17, 09:44

p​o​w​e​r​e​d by O​S​Q​A