Ask Your Question
0

Wireshark > no filters, all interfaces, promiscuous mode -> not seeing HTTP

asked 2023-04-25 08:26:59 +0000

GuyFL gravatar image

I have used Wireshark before successfully to capture REST API requests. [Picture - not enough points to upload]

I have a new laptop, installed WS, and am seeing that HTTP protocol does not appear in the window while refreshing a browser or sending requests.

I removed all capture filters, selected all interfaces (overkill, I know), and set them all to promiscuous mode.

Nevertheless, when I use the view filter http.request or http.response, I only see SSDP records.

Version: Version 4.0.5 (v4.0.5-0-ge556162d8da3).

However- if the URL in my browser app is qa2.acme.com with IP 159.1.1.1, I can see its traffic as TCP or TLS, but not HTTP.

Also, if I set the Source as src.addr (unresolved), the IP is as expected. But the default setting of Source Address shows what looks like a MAC address (?)

Src: ves-io-0b9b2c58-c8db-4cc9-80a1-276913b4eef9.ac.vh.ves.io (159.x.x.x)

edit retag flag offensive close merge delete

Comments

can see its traffic as TCP or TLS, but not HTTP.

This data stream is then encrypted; to see HTTP, you would have to decrypt first. There are other protocols that can be used, too, like QUIC, or flowing over a VPN tunnel which would then hide the traffic, by design, from simple filters.

If you are capturing traffic to/from the same host as the browser, then promiscuous mode would not be necessary.

Try this site with your browser: http://www.neverssl.com

Do you see http traffic when connecting here?

Bob Jones gravatar imageBob Jones ( 2023-04-25 09:51:48 +0000 )edit

I was able to get HTTP to appear in Chrome - once - by using the instructions in the article you linked. I.e., defining an environment variable SSLKEYLOGFILE and so on.

Then it did not work.

I also tried IE once, and it worked there.

GuyFL gravatar imageGuyFL ( 2023-04-25 12:04:51 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2023-04-25 12:44:52 +0000

GuyFL gravatar image

OK - finally working.

Chrome.

Again, using the Edit > Preferences > Protocols > TLS > Pre-master secret log file name, using the file I associated with the environment variable created in the instructions here.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2023-04-25 08:26:59 +0000

Seen: 1,452 times

Last updated: Apr 25 '23