This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Not capturing

0

Hello,

I'm using RStudio, with a JSON package. I'm running a command which causes a JSON request and then gets a response, yet it's not showing up in wireshark. I've got my filter set to http || http2 || json, and I'm getting other http information and some JSON from the Dropbox LAN Sync Discovery Protocol. Any idea why I'm able to sniff stuff from RStudio. Do I need to configure some options in Wireshark?

Windows 10.

Thanks

asked 05 Feb '16, 13:27

ThomasM's gravatar image

ThomasM
1223
accept rate: 0%

I'm wondering maybe the traffic is over https - is there any easy to capture https stuff? Could this be my issue?

(05 Feb '16, 14:17) ThomasM

Json request to where? If the local host then Wireshark with WinPCap won't see it. If off host, then maybe it's going to another port or is encrypted with TLS?

(05 Feb '16, 14:18) grahamb ♦

No way to answer without the capture file and information about the network (at least the IP addresses of the client and server of the JSON requests).

Please publish the capture file somewhere (cloudshark, google drive, onedrive, dropbox...) for access without login, place a link to it to your question (use "edit"), and add the information about the IP addresses.

(05 Feb '16, 14:23) sindy

You can capture https just as easy as any other traffic; the tough part comes when you want to decrypt it. Once you confirm that you do use https to transport JSON, look through this site for advice regarding decryption of https.

(05 Feb '16, 14:30) sindy

Or perhaps read the canonical source on using Wireshark and decrypting TLS (still called SSL on the page), the wiki page.

(05 Feb '16, 15:14) grahamb ♦

web service which used JSON is on a remote location (a MS Azure service). In the end I just used fiddler and set decrypt https traffic. Fiddler is showing me what I need now. What should I of done to make it work in Wireshark?

(05 Feb '16, 16:38) ThomasM

Thanks all. I actually originally looked at the decryption page, but there were lot's of steps along the command line and I wasn't originally sure that was my problem. Unless I'm missing something obvious on Wireshark, Fiddler simply had a checkbox in the options GUI I had to check in an obvious place.

(05 Feb '16, 18:20) ThomasM

Fiddler works very differently from Wireshark. Wireshark (or, rather, the libpcap library it uses) taps into the OS's mechanism for grabbing raw link-layer packets on UN*X and, with the help of the WinPcap driver, taps into Windows NDIS (or, rather, WinPcap taps into NDIS) for getting copies of raw link-layer packets on Windows. Fiddler acts as a Web proxy, pretending to the browser to be the Web server and pretending to the Web server to be the browser, which allows it to decrypt the traffic with much less difficulty.

(06 Feb '16, 00:07) Guy Harris ♦♦
showing 5 of 8 show 3 more comments