Wireshark · Wireshark-users: Re: [Wireshark-users] HTTPS sniffing ?

Wireshark-users: Re: [Wireshark-users] HTTPS sniffing ?

From: Guy Harris <guy@xxxxxxxxxxxx>

Date: Sun, 06 Jan 2008 14:18:51 -0800

xerces8 wrote:

Is there a (simple) way to sniff HTTPS traffic with wireshark ?
(not just headers, but actual data content)
(like with "HTTP Analyzer" where it is a single click)


If "HTTP Analyzer" is the application from IE Inspector:

	http://www.ieinspector.com/

they say

HTTPS is available if the application uses the Microsoft WININET API(ex. ie, outlook) or Mozilla NSS API. (ex. firefox, thunderbird)

which means that they might have some way of getting decrypted HTTPtraffic from the application by, for example, interposing its ownlibrary in front of the WinInet or Mozilla NSS API or by using somehooks that those libraries provide, if, in fact, they provide it.

Wireshark isn't an "HTTP analyzer", it's a network analyzer thatcaptures traffic at a much lower level (that's what it's intended to doand what it's designed to do). If it could determine the key needed todecrypt the traffic given only public keys and the raw network traffic,the first "S" in "SSL" and the "S" in "TLS" wouldn't belong there. :-)

References:
- [Wireshark-users] HTTPS sniffing ?
  - From: xerces8

Prev by Date: Re: [Wireshark-users] Capture filter for ARP, DNS and PING
Next by Date: Re: [Wireshark-users] Capture filter for ARP, DNS and PING
Previous by thread: Re: [Wireshark-users] HTTPS sniffing ?
Next by thread: [Wireshark-users] Capture filter for ARP, DNS and PING
Index(es):
- Date
- Thread