Filter HTTPS Data Packets by Using Wireshark Tools

Download as pdf or txt
Download as pdf or txt
You are on page 1of 4

Wireshark/HTTPS

Wireshark is a free and open source packet analyzer used for network troubleshooting and
analysis. These activities will show you how to use Wireshark to capture and analyze Hypertext
Transfer Protocol Secure (HTTPS) traffic.

Preparation
To prepare for this activity:

1. Start Windows.
2. Log in if necessary.
3. Install Wireshark.

Activity 1 - Capture HTTPS Traffic


To capture HTTPS traffic:

1. Open a new web browser window or tab.


2. Start a Wireshark capture.
3. Navigate to https://en.wikiversity.org.
4. Stop the Wireshark capture.
5. Close the web browser window or tab.

Activity 2 - Select Destination Traffic


To select destination traffic:

1. Observe the traffic captured in the top Wireshark packet list pane. To view only HTTPS
traffic, type ssl or tls (lower case) in the Filter box and press Enter.
2. Select the first TLS packet labeled Client Hello.
3. Observe the destination IP address.
4. To view all related traffic for this connection, change the filter to ip.addr ==
<destination>, where <destination> is the destination address of the HTTP packet.

Activity 3 - Analyze TCP Connection Traffic


To analyze TCP connection traffic:

1. Observe the traffic captured in the top Wireshark packet list pane. The first three packets
(TCP SYN, TCP SYN/ACK, TCP ACK) are the TCP three way handshake. Select the
first packet.
2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is
an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol frame.
3. Expand Ethernet II to view Ethernet details.
4. Observe the Destination and Source fields. The destination should be your default
gateway's MAC address and the source should be your MAC address. You can use
ipconfig /all and arp -a to confirm.
5. Expand Internet Protocol Version 4 to view IP details.
6. Observe the Source address. Notice that the source address is your IP address.
7. Observe the Destination address. Notice that the destination address is the IP address of
the HTTPS server.
8. Expand Transmission Control Protocol to view TCP details.
9. Observe the Source port. Notice that it is a dynamic port selected for this HTTPS
connection.
10. Observe the Destination port. Notice that it is https (443). Note that all of the packets for
this connection will have matching MAC addresses, IP addresses, and port numbers.

Activity 4 - Analyze SSL/TLS Client Hello Traffic


To analyze SSL/TLS connection traffic:

1. Observe the traffic captured in the top Wireshark packet list pane.
2. Select the first TLS packet, labeled Client Hello.
3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is
an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol / Secure
Sockets Layer frame. Also notice that the Ethernet II, Internet Protocol Version 4, and
Transmission Control Protocol values are consistent with the TCP connection analyzed in
Activity 3.
4. Expand Secure Sockets Layer, TLS, and Handshake Protocol to view SSL/TLS details.
5. Observe the Cipher Suites and Extensions supported.
6. Observe the traffic captured in the top Wireshark packet list pane.
7. Select the next packet, labeled TCP ACK. This is the server TCP acknowledgement of
receiving the Client Hello request.

Activity 5 - Analyze SSL/TLS Server Hello Traffic


To analyze SSL/TLS Server Hello traffic:

1. Observe the traffic captured in the top Wireshark packet list pane.
2. Select the second TLS packet, labeled Server Hello.
3. Observe the packet details in the middle Wireshark packet details pane.
4. Expand Secure Sockets Layer, TLS, and Handshake Protocol to view SSL/TLS details.
5. Observe the Cipher Suites and Extensions supported.

Activity 6 - Analyze SSL/TLS Certificate Traffic


To analyze SSL/TLS Certificate traffic:

1. Observe the traffic captured in the top Wireshark packet list pane.
2. Select the third TLS packet, labeled Certificate, Server Key Exchange, Server Hello
Done.
3. Observe the packet details in the middle Wireshark packet details pane.
4. Expand Secure Sockets Layer, TLS, Handshake Protocol, and Certificates to view
SSL/TLS details.
5. Observe the certificate information provided.
6. Expand TLS, Handshake Protocol, and EC Diffie-Hellman Server Params to view the
public key and signature. The client uses the certificate to validate the public key and
signature.
7. Observe the traffic captured in the top Wireshark packet list pane.
8. Select the next TCP packet, labeled TCP ACK. This is the client TCP acknowledgement
of <receiving the Server Hello and Certificate responses.

Activity 7 - Analyze SSL/TLS Client Key Exchange Traffic


To analyze SSL/TLS Client Key Exchange traffic:

1. Observe the traffic captured in the top Wireshark packet list pane.
2. Select the fourth TLS packet, labeled Client Key Exchange, Change Cipher Spec,
Encrypted Handshake Message.
3. Observe the packet details in the middle Wireshark packet details pane.
4. Expand Secure Sockets Layer, TLS, Handshake Protocol, and Encrypted Handshake
Message to view SSL/TLS details.
5. Observe the encrypted handshake message. This encrypted handshake contains the
session key that will be used to encrypt session traffic.

Activity 8 - Analyze SSL/TLS New Session Ticket Traffic


To analyze SSL/TLS New Session Ticket traffic:

1. Observe the traffic captured in the top Wireshark packet list pane.
2. Select the TLS packet labeled New Session Ticket ....
3. Observe the packet details in the middle Wireshark packet details pane.
4. Expand Secure Sockets Layer, TLS, Handshake Protocol, TLS Session Ticket, and
Encrypted Handshake Message to view SSL/TLS details.
5. Observe the encrypted handshake message. This is the server confirming the encrypted
session.

Activity 9 - Analyze HTTPS Encrypted Data Exchange


To analyze HTTPS encrypted data exchange:
1. Observe the traffic captured in the top Wireshark packet list pane.
2. Select the various TLS packets labeled Application Data.
3. Observe the packet details in the middle Wireshark packet details pane.
4. Expand Secure Sockets Layer and TLS to view SSL/TLS details.
5. Observe the encrypted application data. Notice that the application data protocol is http.
6. Observe the data in the bottom Wireshark packet bytes pane. Notice that the application
data is encrypted.
7. Close Wireshark to complete this activity. Quit without Saving to discard the captured
traffic.

You might also like