How to Capture HTTP/HTTPS Traffic with Wireshark

Posted on In ,

Before you use Wireshark to capture traffic, you must close it if you use a proxy client.

Capture HTTP/HTTPS traffic of PC

1. Open Wireshark.

2. Choose an interface.

If you use Wi-FI, you need to capture the WLAN interface.

Double click the WLAN interface in the interface list.

3. Apply a display filter to show only HTTP/HTTPS traffic

HTTP

http

HTTPS

ssl.handshake.type == 1

or

tcp.port == 443

4. Capture a specific domain’s traffic

HTTPS + IPv4

tls.handshake.extensions_server_name == "web.traceint.com" || ip.dst == xxx.xxx.xxx.xxx

HTTPS + IPv6

tls.handshake.extensions_server_name == "www.bilibili.com"  || ipv6.addr == 2408:873c:6810:3::14

HTTP

http.host == "mydomain.com"

Capture HTTP/HTTPS traffic of mobile

1. Open hotspot on Windows operating system

Windows + X -> Settings -> Network & internet -> Mobile hotspot, turn on.

2. Connect the hotspot on your mobile phone

3. Open Wireshark.

4. Choose an interface.

It’s the same with capturing traffic of PC.

5. Apply a display filter to show only HTTP/HTTPS traffic

It’s the same with capturing traffic of PC.

6. Capture a specific domain’s traffic

It’s the same with capturing traffic of PC.

Decrypt HTTPS/TLS traffic of PC

Using a pre-master secret key to decrypt SSL and TLS

1. Set an environment variable

SSLKEYLOGFILE=~/ssl-keys.log

2. Configure Wireshark to decrypt SSL

Open Wireshark -> click Edit -> click Preferences -> click Protocols -> click TLS -> Set the (Pre)-Master-Secret log: ~/ssl-keys.log

3. Wireshark will decrypt your HTTPS traffic automatically

If you don’t set a pre-master secret log in Wireshark, you can only see the TLS and TCP traffic of the HTTPS website. But when you set a pre-master secret log in Wireshark, you can see the decrypted HTTP traffic.

Filter with 

(http || http2) && (http.host == "xxx.xxx.com" || tls.handshake.extensions_server_name == "xxx.xxx.com" || ip.dst == xxx.xxx.xxx.xxx
)

Select any HTTP traffic in the traffic list, and click the Decrypted TLS to see the decrypted data.

References

[1] How to Decrypt SSL with Wireshark – HTTPS Decryption Guide