Ask Your Question
0

How to capture HTTPS traffic to specific domain?

asked 2019-08-06 17:27:57 +0000

Hector Santos gravatar image

updated 2019-08-07 04:03:34 +0000

I need to capture the traffic from my Win7 machine where I just installed WireShark v3 to HTTPS web sites hosted at small office network with AT&T Fiber Ethernet. What would the command be to capture filter or script or menu options or a reference to an online example? I need to basically say:

Start Capturing and Log from SRC IP the HTTPS connection to host IP XYZ. Filter all other network traffic.

I need to do this for three sites on my network.

Reason:

In the past month, AT&T has begun degrading, intentionally or unintentionally, the HTTPS channel causing packet disruptions, timeouts and resets with the browser. HTTP traffic has no problem. It appears AT&T has taken the two main domains I cited as examples showing the problem, secure.winserver.com and secure.santronics.com and 'white listed" them to improve the HTTPS performance. While there are still some delays, the packets do not timeout and reset. However, all other hosted domains on HTTPS are being disrupted and degraded. With escalated support, AT&T has asked that I get a WireShark capture to illustrate the problem.

Why could the reasons for this to happen with only HTTPS and not HTTP?

I am speculating the following:

AT&T is performing packet security analysis and DPI (Deep Packet Inspection) in their main network/data center. All packets are routed there. Of recent, this DPI, Monitoring activity has been impacting our HTTPS channel communications. HTTP packets travel this same route but the unsecured, unencrypted packets are not causing a slow down. HTTPS appears to be an new overhead problem with AT&T customers with recent Fiber Broadband network changes.

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-08-06 17:38:49 +0000

grahamb gravatar image

Use dumpcap (part of the Wireshark suite) on the command line to setup a capture into a set of capture files (so that you don't end up with one huge unworkable file).

Use dumpcap -D to list your network interfaces and select the number (i.e. 2) for the interface that is connected to the internet and put that after the -i parameter below:

dumpcap -i 2 -w path\to\capture\file -b duration:3600 -f "port 443 and (host a.b.c.d or host e.f.g.h or host i.j.k.l)"

Replace path\to\capture\file with the location of where you want the captures to go, e.g. your users documents directory, and use the real IP's of the server sites.

Use Ctrl + C to terminate the capture. The -b option given creates a new capture file each hour.

edit flag offensive delete link more

Comments

Ok, thank you, exploring this now.

My interface was 6. I have a batch file prepare where I can pass the IP:

dumpcap -i 6 -w logs\beta-winserver-com.log -f "port 443 and host %1"

I have three captured pcapng files per IP and I see I can open them with the GUI to view them. Sweet! I just need learn how to read it. :) I appreciate the quick goto!

What I am basically seeing with HTTPS delays and timeouts are predominately with images. For whatever the reason, perhaps the overhead with the DPI & monitoring by AT&T (and NSA), there is a major processing overhead causing timeouts with HTTPS transfers of images.

What I am not sure of is whether this is just specific to my network location due to recent city-wide infrastructure changes towards AT&T U-Verse Fiber Broadband or its an inherent issue unknown to AT&T engineers that ...(more)

Hector Santos gravatar imageHector Santos ( 2019-08-06 18:58:55 +0000 )edit

For anyone to inspect HTTPS they need to either:

  • Proxy the connection, forging the target sites certificate (Public Key Pinning or Certificate Transparency protects against this).
  • Have access to the keying material generated by the server or the client. This requires invasive access to either system.
  • Have hitherto unknown capabilities that can break TLS encryption.
grahamb gravatar imagegrahamb ( 2019-08-06 19:18:49 +0000 )edit

I agree. However, with stronger ciphers, TLS 1.2/1.3 and the "Encrypt Always and Everything" industry direction, there has been recent calls by the DOJ for Silicon Valley, developers and designers to add inspection (backdoor) "hooks" into products or be forced to do so by law I know, ridiculous, but its out there.

Hector Santos gravatar imageHector Santos ( 2019-08-06 19:58:45 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2019-08-06 17:27:57 +0000

Seen: 5,264 times

Last updated: Aug 07 '19

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2