User profile for user: sbirare
sbirare Author
User level: Level 1
4 points

How to capture HTTP packets on wireshark after browsing a site?

Hello,

Product details:

MacBook Air

macOS Sierra

Version 10.12.6

Processor 1.6GHz Intel Core i5


Issue:

I am student and to study wireshark I have downloaded Wireshark on my Mac. While capturing packets on en0 interface, I can see all TLS, TCP and DNS messages.

I want to capture explicitly HTTP messages from HTTP GET till HTTP OK, hence I am starting capture, browsing "google.com" or "amazon.com" site.

But after that no HTTP packets are getting captured.

Please help me to solve this issue or let me know if there is any limitations on Mac.


Thanks & Ragards,

Shraddha Birare

shraddhabirare2391@gmail.com

MacBook Air, macOS Sierra (10.12.6)

Posted on Sep 5, 2017 1:11 PM

Reply
Question marked as Top-ranking reply
User profile for user: Tesserax
Tesserax
User level: Level 10
158,490 points

Posted on Sep 5, 2017 6:35 PM

The ASC is dedicated to helping others with Apple products. Your question is really related to how to use Wireshark. I strongly suggest, and since you are a student, to get some additional Wireshark "how-to" from sources like: Wireshark University


Regardless, to give you some hints related to your question:

  • The reason you are seeing only TLS, TCP, DNS, etc. is because you are capturing a website that is using SSL/TLS for security. That is, you would use HTTPS, not HTTP to connect to it. Wireshark will not automatically decrypt SSL traffic. However, Wireshark does support SSL decryption when the master secret (derived from a pre-master secret) can be calculated. Those familiar with this know one method is to use an SSL keylog file.
  • Try accessing a website that doesn't require HTTPS. You will still get a "mix" of protocols, but you can then use a Display Filter to just view the HTTP packets.
View in context
1 reply
Question marked as Top-ranking reply
User profile for user: Tesserax
Tesserax
User level: Level 10
158,490 points

Sep 5, 2017 6:35 PM in response to sbirare

The ASC is dedicated to helping others with Apple products. Your question is really related to how to use Wireshark. I strongly suggest, and since you are a student, to get some additional Wireshark "how-to" from sources like: Wireshark University


Regardless, to give you some hints related to your question:

  • The reason you are seeing only TLS, TCP, DNS, etc. is because you are capturing a website that is using SSL/TLS for security. That is, you would use HTTPS, not HTTP to connect to it. Wireshark will not automatically decrypt SSL traffic. However, Wireshark does support SSL decryption when the master secret (derived from a pre-master secret) can be calculated. Those familiar with this know one method is to use an SSL keylog file.
  • Try accessing a website that doesn't require HTTPS. You will still get a "mix" of protocols, but you can then use a Display Filter to just view the HTTP packets.
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

How to capture HTTP packets on wireshark after browsing a site?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up