Dear all I want to check the URLs, which are opened from inside my private network in order to check if anything is requested that shouldn't be. As some of the URLs seem to be opened via https, tcpdump comes afaik to its limits. A google search led me to WireShark and the recommendation to analyze the dump file. However, when I open that file I get some information about packets, including source and destination IPs. For whatever reason, resolving the host names does not work. I already enabled external name resolving, but nothing changes. Even if I would get host names, I am not sure that this would include the specific URLs. Could you be so kind and help me out? I am not that much into these technical details, so that I do not understand every further recommendation from the net. Best regards asked 01 May '17, 07:05  HabakukTibatong |
One Answer:
Unless you have the pre-master session key you won't be able to decrypt HTTPS traffic. Therefore to getting the URLs of HTTPS traffic will not be feasible for you. To get the hosts of HTTPS URLs you can use the servername extension of the TLS handshake (display filter: For HTTP traffic to get the full URL use the display filter answered 01 May '17, 10:53  Uli |
Thanks. About that pre-master session key: Can I get that when I have direct access to the device on my network, which is establishing a https connection? If yes, is this some kine of stable key that I can just export?
About http.request.full_uri: I do not really understand how to use that, as you said before that I won't be able to get the URLs.
Either way, thanks for your reply.
For HTTP (unencrypted) traffic
http.request.full_urilists the value of a HTTP request.To the get the pre-master key, keyword to search for is 'SSLKEYLOGFILE' (e.g. here or on Google).
Thanks, I will try that.