Wireshark > no filters, all interfaces, promiscuous mode -> not seeing HTTP
I have used Wireshark before successfully to capture REST API requests. [Picture - not enough points to upload]
I have a new laptop, installed WS, and am seeing that HTTP
protocol does not appear in the window while refreshing a browser or sending requests.
I removed all capture filters, selected all interfaces (overkill, I know), and set them all to promiscuous mode.
Nevertheless, when I use the view filter http.request or http.response
, I only see SSDP
records.
Version: Version 4.0.5 (v4.0.5-0-ge556162d8da3)
.
However- if the URL in my browser app is qa2.acme.com with IP 159.1.1.1, I can see its traffic as TCP or TLS, but not HTTP.
Also, if I set the Source as src.addr (unresolved)
, the IP is as expected.
But the default setting of Source Address shows what looks like a MAC address (?)
Src: ves-io-0b9b2c58-c8db-4cc9-80a1-276913b4eef9.ac.vh.ves.io (159.x.x.x)
This data stream is then encrypted; to see HTTP, you would have to decrypt first. There are other protocols that can be used, too, like QUIC, or flowing over a VPN tunnel which would then hide the traffic, by design, from simple filters.
If you are capturing traffic to/from the same host as the browser, then promiscuous mode would not be necessary.
Try this site with your browser: http://www.neverssl.com
Do you see http traffic when connecting here?
I was able to get HTTP to appear in Chrome - once - by using the instructions in the article you linked. I.e., defining an environment variable SSLKEYLOGFILE and so on.
Then it did not work.
I also tried IE once, and it worked there.