HTTP/HTTPS Analysis Using Wireshark
Check the updated DevOps Course.
Course Registration link:
Course Link:
YouTube link:
How HTTP works
To Demonstrate that let’s use Sample Captures from Wireshark website(http.cap)
Before start analyzing any packet, please turn off “Allow subdissector to reassemble TCP streams”(Preference → Protocol → TCP)(This will prevent TCP packet to split into multiple PDU unit)
As you can see I am using HTTP so that the encryption will not be hidden behind TLS.
As you can see at line number 13 standard DNS resolution is happening.
In line number 17 you see the response we are getting back with full DNS resolution
Now if you look at Packet number 4 i.e is get request,HTTP primarily used two command
1: GET: To retrieve information
2: POST: To send information(For eg: when we submit some form we fill some data i.e is POST)
Here I am trying to get download.html via HTTP protocol 1.1(The new version of protocol is now available i.e 2.0)
Then at line number 5 we see the acknowledgment as well as line number 6 server was able to found that page and send HTTP status code 200.
If you want more info about HTTP status code
You will see some more info like for packet 6, like Server type is Apache, content type is HTML, how long is the content length is,
Then you will see bunch of continuation that is due to TCP window where you don’t get acknowledgement for each and every packet
and at that top some usual TCP handshake
Now lets try to dissect HTTPS capture
as you can see
- 3 way handshake is happening,
- hello from SSL client and then acknowledgement from Server
- Server Hello and then ACK
- Exchanging some key and cipher information
- Finally it actually start exchanging data.
Then if we click on any application data that data is unreadable to us it’s all gibberish but with wireshark we can decrypt that data only thing we need is the Private Key of the server.
Once again go to Preference → Protocol → SSL
Add these value
IP address: 127.0.0.1
Port: 443
Protocol: http
Key File: https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=snakeoil2_070531.tgz
as you can see data is now decrypted