How to capture HTTPS with Wireshark?

Wireshark 1.

2 now supports HTTPS capturing. For a long time, the Wireshark developers decided that to capture a HTTPS session, we must modify the web browser. There are some limitations to this approach:

Most web browsers are able to capture encrypted web pages and decrypt them in order to display the web content. Wireshark doesn't support decryption of encrypted web pages (because of patent issues). However, this approach doesn't work when you need to see the traffic generated by an HTTPS-protected web page. It could be the case, for example, when you want to analyze a web page without its security certificates. If you use the web browser to view the content of the page, it will be shown with a security certificate error. This error will stop you from capturing the page content.

Another solution would be to modify the web browser in order to display the web page content. But this solution is not acceptable because web browser are made for us to use the web and browsing through them requires specific knowledge and skills.

Instead of modifying the web browser to display the content of an HTTPS-protected page, Wireshark can now capture and decrypt the HTTPS traffic. The Wireshark developers decided to follow this solution.

Capturing HTTPS sessions is not trivial. In fact, HTTPS is based on the use of certificates to provide the security of the connection. The certificates are signed by certificate authorities. They also have a Public Key Infrastructure (PKI) to manage the trust between the certificates and the parties that will use them.

At the time of writing, there are 4 types of PKI and certificate types: X.509 certificates. This is the most common PKI type used by web browsers and HTTP servers.

Extended certificates. This type is used when you want to generate a self-signed certificate (a certificate with the same private key as the public key used to encrypt the traffic generated by a web browser or HTTP server). The problem with self-signed certificates is that the party that generates them has the risk to send it to the wrong persons. Therefore, web browsers usually don't use them for HTTPS sessions.

Open certificates. This type of certificates is widely used because they are easily generated and the use of open certificates doesn't require trusting a certificate authority.

How to see SSL in Wireshark?

How to read encrypted traffic

In Windows platform you can see the https in tcp streams. How about other platforms? My friend asked me this question for his research topic, my answer is that we need to capture the TLS handshakes by use Wireshark with OpenSSL or similar tools. I also give a sample output here to let you how to get this.

Sample output: The handshake process from client and server side: Let's see more samples in our Wireshark: Sample 1: We can see an SSL handshakes happen between server A and B. So it means the client A connects to B, then sends a hello message to B. B replies hello back and sends a certificate info back to You can find the corresponding pcap file in C:UsersAdminDesktopWiresharkClient-ServersslHandshake. You will see the handshake process in wireshark as below.

Sample 2: We can find that another SSL handshakes happen between client A and certificate exchange info happens from server A to Sample 3: We can see a TCP SYN packets sent to the client C, and the destination port number is the destination port number for port 8080. The contents are a request line (GET /test HTTP/1.1), so we can know what is the HTTP request.

The destination port number is the port for our HTTP web server. The client sends the request line and request body to our web server after we setup port 8080, this behavior can tell us that the client wants to connect to our web server on the destination port.

But we have some concerns: What if the client sends an HTTP response line to our web server, it won't match the request IP, if the destination address is not the same, then Wireshark will treat this as an error and give warning information. So we hope that the source and destination port number be the same, but it's not our expectation. To resolve these issues, we may change our packet capture settings (see more): TCP/IP Headers & Options. Wireshark should display two kinds of ports when viewing the connection with SSL and without SSL for network monitoring.

Can Wireshark see through HTTPS?

I am trying to debug an issue with a HTTPS connection over a wireless network, and I want to capture the traffic.

I can't seem to get wireshark to capture the data, and there are no errors in the logs. Is it possible to capture traffic through an encrypted connection? I haven't tried this on Windows, but you may have some luck with the OpenSSL libraries. If you're looking for help with WinPcap, there's a thread here that suggests the following (comments mine): You need a client and a server running both on your machine. Then you can start Wireshark from your client and choose the server as capture. interface. The only problem is that you won't be able to use the interface's name as filter. You'll have to use the IP address instead.

You could try sniffing from both client and server and see if one works and one doesn't. This is more of a networking question than a Wireshark question. Generally speaking, if you have two computers (or other devices) that are using the same network and operating system and you are able to see traffic between them, then it means that they are not encrypted (as in: HTTPS). As @sampson suggested, you could also sniff traffic between two different operating systems (Windows and Linux, for example) or different devices (USB stick or router) and you'll see what you are expecting.

Why Wireshark does not capture HTTPS?

After reading the first part of this article, please read the second part where I'm going to discuss about how to enable HTTPS in Wireshark.

Part 1 of the article discussed about how to capture HTTP/HTTPS packets using Wireshark and what are the prerequisites needed for capturing and understanding such traffic. Part 2 of the article is about how to enable SSL/TLS support in Wireshark. In this section, I'll show you how to capture encrypted HTTP/HTTPS traffic from your network interface. The following screenshots show me capture an HTTPS connection. The capture was done using Ethereal.

Capturing HTTPS packets is easy. All we need is a sniffer tool like wireshark. First, we need to install Wireshark using the command:

# sudo apt-get install wireshark # To install the prerequisites. # sudo apt-get install libpcap0 libcap0 # To install the prerequisites.

Once installed, it will be used to capture packets from our network interfaces. Open Wireshark, and click on Capture > New capture. Click on Network > Tcp/Udp. You should be able to see the port 6881 in the list. If not, choose it manually or browse to the website URL by using It will display as HTTP.

Click on Start Capture and wait for few seconds. After few seconds, you'll see the following screen: You can ignore all the messages that says No connection found or Connection closed. If you select a particular port and click on Start Capture, it will start capturing packets at that port and you can see the traffic over that port. This is how you can understand the traffic.

If you want to see the HTTP headers, go to Protocol > HTTP > Headers. You'll be able to see the information related to the HTTP header like Status code, Request method, Server, Content length, etc. Let's go to Part 2 and understand how to capture and analyse such traffic. # To capture and display the packets (as displayed in the screenshot).