Filter HTTPS Data Packets by Using Wireshark Tools
Filter HTTPS Data Packets by Using Wireshark Tools
Filter HTTPS Data Packets by Using Wireshark Tools
Wireshark is a free and open source packet analyzer used for network troubleshooting and
analysis. These activities will show you how to use Wireshark to capture and analyze Hypertext
Transfer Protocol Secure (HTTPS) traffic.
Preparation
To prepare for this activity:
1. Start Windows.
2. Log in if necessary.
3. Install Wireshark.
1. Observe the traffic captured in the top Wireshark packet list pane. To view only HTTPS
traffic, type ssl or tls (lower case) in the Filter box and press Enter.
2. Select the first TLS packet labeled Client Hello.
3. Observe the destination IP address.
4. To view all related traffic for this connection, change the filter to ip.addr ==
<destination>, where <destination> is the destination address of the HTTP packet.
1. Observe the traffic captured in the top Wireshark packet list pane. The first three packets
(TCP SYN, TCP SYN/ACK, TCP ACK) are the TCP three way handshake. Select the
first packet.
2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is
an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol frame.
3. Expand Ethernet II to view Ethernet details.
4. Observe the Destination and Source fields. The destination should be your default
gateway's MAC address and the source should be your MAC address. You can use
ipconfig /all and arp -a to confirm.
5. Expand Internet Protocol Version 4 to view IP details.
6. Observe the Source address. Notice that the source address is your IP address.
7. Observe the Destination address. Notice that the destination address is the IP address of
the HTTPS server.
8. Expand Transmission Control Protocol to view TCP details.
9. Observe the Source port. Notice that it is a dynamic port selected for this HTTPS
connection.
10. Observe the Destination port. Notice that it is https (443). Note that all of the packets for
this connection will have matching MAC addresses, IP addresses, and port numbers.
1. Observe the traffic captured in the top Wireshark packet list pane.
2. Select the first TLS packet, labeled Client Hello.
3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is
an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol / Secure
Sockets Layer frame. Also notice that the Ethernet II, Internet Protocol Version 4, and
Transmission Control Protocol values are consistent with the TCP connection analyzed in
Activity 3.
4. Expand Secure Sockets Layer, TLS, and Handshake Protocol to view SSL/TLS details.
5. Observe the Cipher Suites and Extensions supported.
6. Observe the traffic captured in the top Wireshark packet list pane.
7. Select the next packet, labeled TCP ACK. This is the server TCP acknowledgement of
receiving the Client Hello request.
1. Observe the traffic captured in the top Wireshark packet list pane.
2. Select the second TLS packet, labeled Server Hello.
3. Observe the packet details in the middle Wireshark packet details pane.
4. Expand Secure Sockets Layer, TLS, and Handshake Protocol to view SSL/TLS details.
5. Observe the Cipher Suites and Extensions supported.
1. Observe the traffic captured in the top Wireshark packet list pane.
2. Select the third TLS packet, labeled Certificate, Server Key Exchange, Server Hello
Done.
3. Observe the packet details in the middle Wireshark packet details pane.
4. Expand Secure Sockets Layer, TLS, Handshake Protocol, and Certificates to view
SSL/TLS details.
5. Observe the certificate information provided.
6. Expand TLS, Handshake Protocol, and EC Diffie-Hellman Server Params to view the
public key and signature. The client uses the certificate to validate the public key and
signature.
7. Observe the traffic captured in the top Wireshark packet list pane.
8. Select the next TCP packet, labeled TCP ACK. This is the client TCP acknowledgement
of <receiving the Server Hello and Certificate responses.
1. Observe the traffic captured in the top Wireshark packet list pane.
2. Select the fourth TLS packet, labeled Client Key Exchange, Change Cipher Spec,
Encrypted Handshake Message.
3. Observe the packet details in the middle Wireshark packet details pane.
4. Expand Secure Sockets Layer, TLS, Handshake Protocol, and Encrypted Handshake
Message to view SSL/TLS details.
5. Observe the encrypted handshake message. This encrypted handshake contains the
session key that will be used to encrypt session traffic.
1. Observe the traffic captured in the top Wireshark packet list pane.
2. Select the TLS packet labeled New Session Ticket ....
3. Observe the packet details in the middle Wireshark packet details pane.
4. Expand Secure Sockets Layer, TLS, Handshake Protocol, TLS Session Ticket, and
Encrypted Handshake Message to view SSL/TLS details.
5. Observe the encrypted handshake message. This is the server confirming the encrypted
session.