Ask Your Question
0

How to see the Search results of google.com in wireshark

asked 2022-05-24 20:58:42 +0000

choudhry gravatar image

I searched the phrase 'stima' in google.com as below in the image..

image description

NoW, How can I see the results of it in Wireshark..? I mean where and in which Part can I get to see the word 'Stima' that has been typed in the Search Bar..

I tried very hard to see in wireshark, but am unable to see the results..

Here is a screen shot of the Wireshark..

image description

Plus I am also giving the Pcap file as well.. Can you see to it and help me with my query..

https://fastupload.io/zwiGpuEiUYClnz5

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
0

answered 2022-06-15 06:26:35 +0000

grahamb gravatar image

updated 2022-06-16 04:52:15 +0000

The extra info is helpful, I have downloaded the following files from your question; "google search on port 443.pcapng" and "SSLKEYLOG.log".

Firstly you have a captured a number of external connections in the traffic, these may have been from applications other than your browser, but they do make finding the google.com connection a bit more difficult. To locate the server that is being used for the connection, I like to add the "Server Name Indication" field as a column. To do this, click on frame 3 in the packet list, then in the packet details pane expand the "Transport Layer Security" header, then the "TLSv1.2 Record Layer: Handshake Protocol: Client Hello" header, then the "Handshake Protocol: Client Hello" header, then the "Extension: server_name (len=25)" header, then the "Server Name Indication extension" header so that you can see the "Server Name: sockets.anty-api.com" field. Right click the field and select "Apply As Column". This then adds the "Server Name" column to the packet list.

Even though this is a simple Google search, there are a lot of bits involved, so to abbreviate this answer, the data you want is in the connection that starts at frame 221

Scroll down the packet list until frame 221. Next, filter the display to show only data from this connection, so right click frame 221 in the packet list and select "Follow -> TCP Stream", as this is a TCP connection. This brings up the TCP stream dialog that shows the TLS handshake for this connection along with some encrypted traffic data. Close the TCP Stream dialog. You should now see that frame 31 in the packet list the server name is "www,google.com" which is your target server.

Next, to decrypt the data, copy the "SSLKEYLOG.log" file into the same place as the capture file. In Wireshark right click frame 231 in the packet list and select "Protocol Preferences -> Transport Layer Security -> (Pre)-Master-Secret log filename:". In the edit field that appears at the top of the packet list, use the browse button to select the "SSLKEYLOG.log" file.

If you have correctly captured the required keying material, then the traffic should decrypt, it does for me and I can now see HTTP2 packets in the list. To simplify things, limit the display of this connection to HTTP2 packets. Select frame 233, then in the packet details, right click one of the "HyperText Transfer Protocol 2" headers and select "Apply As Filter -> ...and Selected". The decrypted HTTP2 traffic now shows what goes on just to bring back the initial Google Search page.

Unfortunately I have now hit a brick wall. I suspect your Google search for "Stima" is now being done via one of the QUIC connections in the capture but I can't get those to decrypt.

Edit: You had changed the search to stearing gulls which confused me.

edit flag offensive delete link more

Comments

FIrst, I would like to thank you for the detailed answeer...

Secondly, did you happen to find the Search term 'stearing gulls' which I did this time in the google search, for which I had sent you the file...

THirdly, I am really confused and can't get what you wrote above their.. Can you show it to me with the help of screenshots..

waiting for your detailed answer again...

choudhry gravatar imagechoudhry ( 2022-06-15 20:50:05 +0000 )edit

The text stearing%20gulls (note the %20 encoding of a space) as part of a GET request appears in the HTTP2 headers of the following frames; 1228 and 1936.

The header from frame 1228 looks like this:

Header: :path: /complete/search?q=stearing%20gulls&cp=0&client=gws-wiz&xssi=t&hl=en-PK&authuser=0&pq=steering%20gulls&psi=lvmoYqamJ8aSa-zVg5gL.1655241106814&ofp=GO3Jj7u19eTFORiej9CT0-rbwiEYrYri2N2wteXxARjQtsH6_ZL-s_wBGN-jzey5wdPb6gEQAQ&dpr


Note the many additional elements that are added to the request to service Google's search needs, but the original search term can be seen in the q element, i.e. ?q=stearing%20gulls

grahamb gravatar imagegrahamb ( 2022-06-16 04:49:18 +0000 )edit

Thank you for the detailed answer again,, here is what I got and wanted,

I did as you commanded on top.. and I got to see the search term 'steering gulls' in the Header info line..

But, what i wanted exactly was to see my search term along with the other details brought by google in the search page like .. all the texts that was shown in the page be seen somewhere in the Wireshark page... as below:...

link text

so, can you do me some more favor and help me out where can I find all the texts of the page which includes my search keyword and other text details as well somewhere in the wireshark page (like explained in the above screenshot as well)..

Hoping for cooperaions

choudhry gravatar imagechoudhry ( 2022-06-17 22:44:44 +0000 )edit

Unfortunately I'm out of time and skill to assist further. I'm not at all familiar with HTTP2 and although I can see the many GET requests for the data, I don't see the data coming back and the Wireshark option "File -> Export Objects -> HTTP..." doesn't provide anything useful either.

grahamb gravatar imagegrahamb ( 2022-06-18 05:31:45 +0000 )edit

You have to help me here.. as none has helped me here as you.. All I want is that to see the data in wireshark, how and where is it seen under which commad in wireshark//...? if not in tcp maybe in someother,.. can you find out from someone else also and help me here...

choudhry gravatar imagechoudhry ( 2022-06-18 21:25:16 +0000 )edit
0

answered 2022-05-25 04:53:22 +0000

Jaap gravatar image

Have you noticed to lock icon at the start of the address bar in the browser window? That indicates that the browser established an encrypted connection between itself and Google. Therefore all communications, including your search term, become unreadable when they traverse the network. That network is what you are looking at with Wireshark, therefore you won't find your search term in there.

edit flag offensive delete link more

Comments

SO, is their a way to see it in wireshark then..? Or in any way remove the encryption and than see the results...?

choudhry gravatar imagechoudhry ( 2022-05-25 12:27:13 +0000 )edit

Yes, see the wiki page on TLS.

grahamb gravatar imagegrahamb ( 2022-05-25 18:58:16 +0000 )edit

I have already added the Enivronment Variable "SSLKEYLOGFILE" to Wireshark... but, even after that, I am unable to see the entire results..

Plus, Can you see this FIle and tell me the details too on how to read it from wireshark,,, Can you see to it and help me with my query..

https://fastupload.io/zwiGpuEiUYClnz5

choudhry gravatar imagechoudhry ( 2022-05-25 19:25:26 +0000 )edit

Have you followed the instructions for using the pre-master secret exactly as written and you are using Chrome or Firefox?

grahamb gravatar imagegrahamb ( 2022-05-25 20:26:56 +0000 )edit

Yes, I did it that way, prior to when You shared that link.. and I am using FIrefox for the above search... IF, you want to be sure; I can sure with you any screenshots as well

choudhry gravatar imagechoudhry ( 2022-05-25 20:30:37 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2022-05-24 20:58:42 +0000

Seen: 10,560 times

Last updated: Jun 16 '22