Wireshark-users: Re: [Wireshark-users] Capturing https traffic
From: Sake Blok <sake@xxxxxxxxxx>
Date: Sat, 28 Aug 2010 01:21:05 +0200
On 27 aug 2010, at 22:12, Guy Harris wrote:
> On Aug 27, 2010, at 1:02 PM, Arya wrote:
>> 
>> I have Wireshark 64 bit installed on Windows 7 and I'm unable to capture https traffic with it.
> 
> What happens if you try to capture https traffic - for example, if you capture with a capture filter of "tcp port 443"?  Do you see no packets (which means it's not *capturing* https traffic), or do you see packets that Wireshark doesn't dissect as https traffic (which means that it might be *capturing* it, it just might not be *recognizing* it as https traffic)?  It will only recognize https traffic if it's to or from one of the ports specified in the "SSL/TLS Ports" preference for the HTTP dissector; the default setting for that is 443, so only traffic to or from port 443 will be recognized as https traffic.

Or do you capture https traffic that is recognized as SSL (which is how it will show in the protocol column), but you are not able to decrypt it as you can't seem to find the preference to put the private key in? This can be caused by the fact that only recently the libraries for decypting SSL traffic have been added to the 64bit version of Wireshark (try an automated build from http://www.wireshark.org/download/automated/ ).

Cheers,


Sake