Open in app

Sign in

Write

Sign in

HTTP/HTTPS Analysis Using Wireshark

Check the updated DevOps Course.

Prashant Lakhera
Devops World
4 min readMar 23, 2017

--

Course Registration link:

Create an Account

Edit description

www.101daysofdevops.com

Course Link:

101 Days of DevOps

http://100daysofdevops.com/day-100-100-days-of-devops/ The good news is starting from Topics Include(Please let me know…

www.101daysofdevops.com

YouTube link:

Prashant Lakhera

Primary idea is to share my Linux knowledge via video. My Linkedin Profile…

www.youtube.com

How HTTP works

To Demonstrate that let’s use Sample Captures from Wireshark website(http.cap)

SampleCaptures - The Wireshark Wiki

It's also a very good idea to put links on the related protocol pages pointing to your file. Referring to an attachment…

wiki.wireshark.org

Before start analyzing any packet, please turn off “Allow subdissector to reassemble TCP streams”(Preference → Protocol → TCP)(This will prevent TCP packet to split into multiple PDU unit)

http.cap

As you can see I am using HTTP so that the encryption will not be hidden behind TLS.

As you can see at line number 13 standard DNS resolution is happening.

In line number 17 you see the response we are getting back with full DNS resolution

Now if you look at Packet number 4 i.e is get request,HTTP primarily used two command

1: GET: To retrieve information

2: POST: To send information(For eg: when we submit some form we fill some data i.e is POST)

Here I am trying to get download.html via HTTP protocol 1.1(The new version of protocol is now available i.e 2.0)

Then at line number 5 we see the acknowledgment as well as line number 6 server was able to found that page and send HTTP status code 200.

If you want more info about HTTP status code

HTTP Status Codes

HTTP status codes and how to use them in RESTful API or Web Services.

www.restapitutorial.com

You will see some more info like for packet 6, like Server type is Apache, content type is HTML, how long is the content length is,

Then you will see bunch of continuation that is due to TCP window where you don’t get acknowledgement for each and every packet

and at that top some usual TCP handshake

Now lets try to dissect HTTPS capture

SampleCaptures - The Wireshark Wiki

It's also a very good idea to put links on the related protocol pages pointing to your file. Referring to an attachment…

wiki.wireshark.org

snakeoil2

as you can see

  • 3 way handshake is happening,
  • hello from SSL client and then acknowledgement from Server
  • Server Hello and then ACK
  • Exchanging some key and cipher information
  • Finally it actually start exchanging data.

Then if we click on any application data that data is unreadable to us it’s all gibberish but with wireshark we can decrypt that data only thing we need is the Private Key of the server.

Once again go to Preference → Protocol → SSL

Add these value

IP address: 127.0.0.1

Port: 443

Protocol: http

Key File: https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=snakeoil2_070531.tgz

as you can see data is now decrypted

Tech
Wireshark
Network
Tcp
Tcpdump

--

--

Prashant Lakhera
Devops World

Written by Prashant Lakhera

6K Followers
Editor for

AWS Community Builder, Ex-Redhat, Author, Blogger, YouTuber, RHCA, RHCDS, RHCE, Docker Certified,4XAWS, CCNA, MCP, Certified Jenkins, Terraform Certified, 1XGCP

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams