This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How can I retrieve (full) urls from a tcp dump?

0

Dear all

I want to check the URLs, which are opened from inside my private network in order to check if anything is requested that shouldn't be. As some of the URLs seem to be opened via https, tcpdump comes afaik to its limits. A google search led me to WireShark and the recommendation to analyze the dump file.

However, when I open that file I get some information about packets, including source and destination IPs. For whatever reason, resolving the host names does not work. I already enabled external name resolving, but nothing changes. Even if I would get host names, I am not sure that this would include the specific URLs.

Could you be so kind and help me out? I am not that much into these technical details, so that I do not understand every further recommendation from the net.

Best regards

asked 01 May '17, 07:05

HabakukTibatong's gravatar image

HabakukTibatong
6113
accept rate: 0%


One Answer:

1

Unless you have the pre-master session key you won't be able to decrypt HTTPS traffic. Therefore to getting the URLs of HTTPS traffic will not be feasible for you.

To get the hosts of HTTPS URLs you can use the servername extension of the TLS handshake (display filter: ssl.handshake.extensions_server_name).

For HTTP traffic to get the full URL use the display filter http.request.full_uri.

answered 01 May '17, 10:53

Uli's gravatar image

Uli
9031515
accept rate: 29%

Thanks. About that pre-master session key: Can I get that when I have direct access to the device on my network, which is establishing a https connection? If yes, is this some kine of stable key that I can just export?

About http.request.full_uri: I do not really understand how to use that, as you said before that I won't be able to get the URLs.

Either way, thanks for your reply.

(01 May '17, 11:38) HabakukTibatong

For HTTP (unencrypted) traffic http.request.full_uri lists the value of a HTTP request.

To the get the pre-master key, keyword to search for is 'SSLKEYLOGFILE' (e.g. here or on Google).

(01 May '17, 12:02) Uli

Thanks, I will try that.

(02 May '17, 09:44) HabakukTibatong