Ask Your Question


asked 2019-05-09 11:08:26 +0000

ERGeorgiev gravatar image

updated 2019-05-09 11:19:20 +0000

grahamb gravatar image


I have been trying to sniff packets to and get the user/pass I entered in the forms after submit, but Wireshark is simply not getting them.

I used tracert to get ip address and then filtered in Wireshark with ip.addr, but to no avail, no packets available. The only packets I got to that website were some DNS protocol queries from the tracert, but nothing from firefox nor google when submitting the forms.

What am I doing wrong?

My method:

  1. Start capturing packets in Wireshark on all available interfaces
  2. Go to and enter some username and password.
  3. Submit and proceed within the website.
  4. Stop capture in wireshark.
  5. Try to filter by http.request.method == "POST"
  6. No POST requests (only keep-alive ones with no info on them with OCSP protocol)

Note that I am using a proxy to access the net.

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2019-05-10 07:12:20 +0000

updated 2019-05-10 07:15:22 +0000

  1. Try to use host as capture filter. It'll resolve the name and filter by corresponding IP.

  2. BUT the site you're talking about is a bit more complex. You'll not spot any clear-text POST request as the second part (credentials transfer) uses different name ( and is TLS-encrypted.

They clearly say the next:

If you look at the source code of the demo page, you'll see that we injected a malicious JavaScript file stealmylogin.js into the page, just as an attacker might. This malicious code steals the login info just before its being securely submitted to the service.

And this is exactly what's happening. After you go by additional GET request is issued for the script named stealmylogin.js which is transferred gzipped.

The script captures your credentials, opens popup form with them. After you press the button an encrypted TLS session to starts where your credentials are transferred further (using POST, but this POST is encrypted).

So you'll not be able to see any packets using http.request.method == "POST" just because there is no plain HTTP POST used for that and your data is transferred to different website.

edit flag offensive delete link more

answered 2019-05-09 12:33:16 +0000

Christian_R gravatar image

updated 2019-05-09 12:33:52 +0000

Here you can find a really nice tutorial how wireshark can be used for your purpose:

Password stealing tutorial

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2019-05-09 11:08:26 +0000

Seen: 2,292 times

Last updated: May 10 '19