Wireshark-users: Re: [Wireshark-users] newbie question about https
From: "DePriest, Jason R." <jrdepriest@xxxxxxxxx>
Date: Fri, 16 Jul 2010 17:23:34 -0500
On Fri, Jul 16, 2010 at 4:01 PM, john doe <> wrote:
> Dear all,
>         I am a relative newbie with wireshark and am going through some
> tutorials. I ran a capture on a site with https:// and was testing for sqli
> on it with an automated open-source tool. When I look at the capture, I do
> not seem to be able to decode the data.
> My goal is to see the actual html returned as a result of the testing.
> Steps I followed: 1) started wireshark 2) opened up site in browser 3)
> started testing tool.
> Can someone please point me to a tutorial which deals with analyzing https
> streams. I looked up some tutrials but they assume that you have the servers
> private key, which I cannot get.
> Thanks.

http://wiki.wireshark.org/SSL is the best resource which, yes, assumes
you have the private key which is required for Wireshark to fully
decrypt the encrypted traffic.

If you want something that can get you inside the packet, I'd suggest
using Fiddler (http://www.fiddler2.com/fiddler2/).  There are plugins
for IE like IE Header View that aren't free and plugins for Firefox
like Live HTTP Headers that are free, but Fiddler (also free) works
with any browser that can support proxy settings.

Assuming you install the feature and accept the fake certificate,
Fiddler will show you a great deal of information about your encrypted
traffic.

I have looked for a way to use a plugin to get raw decrypted packets
from my browser to Wireshark, but I haven't found anything that comes
close to doing that.

I don't know how to take what Fiddler shows and dump it to a pcap
file, for example.

-Jason