I want to check the URLs, which are opened from inside my private network in order to check if anything is requested that shouldn't be. As some of the URLs seem to be opened via https, tcpdump comes afaik to its limits. A google search led me to WireShark and the recommendation to analyze the dump file.
However, when I open that file I get some information about packets, including source and destination IPs. For whatever reason, resolving the host names does not work. I already enabled external name resolving, but nothing changes. Even if I would get host names, I am not sure that this would include the specific URLs.
Could you be so kind and help me out? I am not that much into these technical details, so that I do not understand every further recommendation from the net.
asked 01 May '17, 07:05
Unless you have the pre-master session key you won't be able to decrypt HTTPS traffic. Therefore to getting the URLs of HTTPS traffic will not be feasible for you.
To get the hosts of HTTPS URLs you can use the servername extension of the TLS handshake (display filter:
For HTTP traffic to get the full URL use the display filter
answered 01 May '17, 10:53