Table of Contents for
Mastering Wireshark 2

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Mastering Wireshark 2 by Andrew Crouthamel Published by Packt Publishing, 2018
  1. Mastering Wireshark 2
  2. Title Page
  3. Copyright and Credits
  4. Mastering Wireshark 2
  5. Packt Upsell
  6. Why subscribe?
  7. PacktPub.com
  8. Contributor
  9. About the author
  10. Packt is searching for authors like you
  11. Table of Contents
  12. Preface
  13. Who this book is for
  14. What this book covers
  15. To get the most out of this book
  16. Download the color images
  17. Conventions used
  18. Get in touch
  19. Reviews
  20. Installing Wireshark 2
  21. Installation and setup
  22. Installing Wireshark on Windows
  23. Installing Wireshark on macOS
  24. Installing Wireshark on Linux
  25. Summary
  26. Getting Started with Wireshark
  27. What's new in Wireshark 2?
  28. Capturing traffic
  29. How to capture traffic
  30. Saving and exporting packets
  31. Annotating and printing packets
  32. Remote capture setup
  33. Prerequisites
  34. Remote capture usage
  35. Summary
  36. Filtering Traffic
  37. Berkeley Packet Filter (BPF) syntax
  38. Capturing filters
  39. Displaying filters
  40. Following streams
  41. Advanced filtering
  42. Summary
  43. Customizing Wireshark
  44. Preferences
  45. Appearance
  46. Layout
  47. Columns
  48. Fonts and colors
  49. Capture
  50. Filter buttons
  51. Name resolution
  52. Protocols
  53. Statistics
  54. Advanced
  55. Profiles
  56. Colorizing traffic
  57. Examples of colorizing traffic
  58. Example 1
  59. Example 2
  60. Summary
  61. Statistics
  62. TCP/IP overview
  63. Time values and summaries
  64. Trace file statistics
  65. Resolved addresses
  66. Protocol hierarchy
  67. Conversations
  68. Endpoints
  69. Packet lengths
  70. I/O graph
  71. Load distribution
  72. DNS statistics
  73. Flow graph
  74. Expert system usage
  75. Summary
  76. Introductory Analysis
  77. DNS analysis
  78. An example for DNS request failure
  79. ARP analysis
  80. An example for ARP request failure
  81. IPv4 and IPv6 analysis
  82. ICMP analysis
  83. Using traceroute
  84. Summary
  85. Network Protocol Analysis
  86. UDP analysis
  87. TCP analysis I
  88. TCP analysis II
  89. Graph I/O rates and TCP trends
  90. Throughput
  91. I/O graph
  92. Summary
  93. Application Protocol Analysis I
  94. DHCP analysis
  95. HTTP analysis I
  96. HTTP analysis II
  97. FTP analysis
  98. Summary
  99. Application Protocol Analysis II
  100. Email analysis
  101. POP and SMTP
  102. 802.11 analysis
  103. VoIP analysis
  104. VoIP playback
  105. Summary
  106. Command-Line Tools
  107. Running Wireshark from a command line
  108. Running tshark
  109. Running tcpdump
  110. Running dumpcap
  111. Summary
  112. A Troubleshooting Scenario
  113. Wireshark plugins
  114. Lua programming
  115. Determining where to capture
  116. Capturing scenario traffic
  117. Diagnosing scenario traffic
  118. Summary
  119. Other Books You May Enjoy
  120. Leave a review - let other readers know what you think

HTTP analysis II

We'll investigate some issues with HTTP by looking at the error messages again and how to decrypt HTTPS (which is TLS now) traffic. This also works for SSL.

We'll download an example capture from the SampleCaptures section on the Wireshark wiki (https://wiki.wireshark.org/SampleCaptures). Once you go to the SampleCaptures page, go down to Specific Protocols and Protocol Families | HyperText Transport Protocol (HTTP):

If you click on that, we'll have a list of some basic HTTP captures that we can look at. At the bottom it has a link to SSL with decryption keys, and we'll download the top link snake-oil2 070531.tgz file. All you'll need to do is extract that so that you can get to the files within.

By default, Windows can only extract .zip files, so you'll need to download something like 7-Zip or WinRAR in order to open it.

When you open the cap file, you'll see that it's an older file. This is actually from somewhere around 2007, probably, so it's not a pcapng file. But it still opens up just fine in Wireshark. If we look at this, we see that we have a SYN; SYN, ACK; ACK with TCP, so there's our three-way handshake; and then we have an SSL Client Hello, an acknowledgment from the server, then the Server Hello acknowledgment. We start exchanging some key information for creating the SSL encryption; we share the cipher information; then we begin by actually encrypting the data after that. Here, we can see that we have an encrypted handshake and encrypted data. So we have this data that's encrypted, but we can't get to it. We have all this Application Data that you can see, and it is unreadable to us. If we expand any of this in SSL, it's just gibberish. So how do we see the HTTP within it? We need to decrypt it, and with Wireshark you can decrypt SSL or TLS traffic. However, you will need the private key from the server, so if you do not have access to the web server, you cannot do this. This is great if you're on a corporate network where someone's accessing a corporate resource that happens to be encrypted and you want to decrypt it. Well then, you have access to the server so you can retrieve the private key. If you want to do this over the internet, you have to get the private key from whoever's hosting it.

In order to set this up, we'll go to Edit | Preferences... | Protocols | SSL. You'll notice that TLS is not listed in the Protocols option. TLS falls under the SSL because TLS came about after SSL and was built off of SSL; it all falls under the SSL protocol section. So, we'll go to configure our RSA keys, the private keys, within the SSL protocol list—even if it is TLS that you're using. So what we'll do is click on Edit... and then the plus sign to add a new decryption key. What we'll do is add the IP address of our server. In this example, it was sanitized to 127.0.0.1, which is the localhost; it's just a loopback address. We'll define it as port 443 because we know this is HTTPS traffic that's using standard port 443, and we know that it's http traffic that's behind it. Then, we'll double-click on the Key File section and select our key. You can see in that extracted file we have the cap file, a README and the key file. We'll select the key file and then click on OK:

Now you'll see that the data has decrypted itself, so we no longer have all of these TLS protocol listings. It doesn't say Application Data; it actually shows us HTTP traffic now. We have now decrypted this. We still have the SSL protocol stuff up because that's actually SSL traffic. It's doing the handshake and exchanging the cipher information so it can encrypt; that's ok. The stuff at the bottom is what we cared about. So now we can actually do our display filter for http, and we can filter out just the HTTP communication. We can see that we have few problems in this packet capture. So, we have a GET request; it received a response from the server, saying: "I found that file." They then tried to get two more images over HTTP; they were downloading some images: it looks like the Debian logo and something else. Then, there was a response from the server, stating that the resource was not found. Here's that 404 message:

If we go in the packet details, we can see 404 in the HTTP option. You'll also see that it says "expert information". Go down to the bottom left, click on the circle icon, and it will provide you with all of the errors that are in this packet capture:

It pulls out HTTP errors along with anything that's of use.