How can I configure Wireshark to see HTTPS traffic?

ios https wireshark

54,055

Solution 1

An alternative is using your Mac as a Wi-Fi access point and sniffing the traffic with TCPDump. Here are the steps:

Connect your Mac to your router using an Ethernet cable (the Wi-Fi card will be busy working as access point). Or skip this step if you only want to sniff traffic from the app to your own computer.
In the Wi-Fi icon of your toolbar, click Create Network. Give it a random name, select security, and set a password.
In System Preferences > Sharing set To computers using: Wi-Fi. In Wi-Fi Options... choose the network you created before. In Share your connection from:, choose the interface you are getting Internet from, usually Ethernet.
Enable Internet Sharing, and connect to this new Wi-Fi network from your iPhone.
Disconnect 3G on your iPhone from Settings > General > Network and check your Internet with Safari. Sometimes it takes a few seconds.
In your Mac type sudo tcpdump -s 0 -A -i en1 port 443 > log.txt. Use ifconfig if you have a network interface other than en1. The log generated can also be imported by WireShark (which is a GUI version of tcpdump).
Now all Internet traffic from your iPhone will be recorded.

TCPDump is included with all versions of OS X. For other options, see Technical Q&A QA1176 Getting a Packet Trace.

Solution 2

Set following as a filter after you've started capturing the appropriate network interface:

tcp.port == 443 || tcp.port == 80

This will ensure display of data for only http & https connections that you can further inspect.

Solution 3

If you want to decrypt the SSL traffic in order to listen in on it, have a look at the Wireshark Wiki. The explanation is a bit longer, but enables you to decrypt SSL traffic.

You also might want to listen on port 443 instead of 80.. :-)

Solution 4

Yes. Wireshark can watch any and all ethernet traffic made available to it. The issue to solve is whether the machine running Wireshark will see all of the ethernet traffic you are interested in detecting the presence of.

View more solutions

54,055

SundayMonday

Hey!

Updated on October 07, 2020

Comments

SundayMonday over 3 years

I'm testing an iOS application and I just want to see when HTTPS traffic is sent. I'm not interested in the contents of the traffic. How can I configure Wireshark to do this?

This is just to verify that an analytics package is working. I don't have any control over the servers that my app is talking to.

Thanks!

Edit #1: My current Wireshark configuration can see traffic to http://www.duckduckgo.com but not https://www.duckduckgo.com
- Ciro Santilli OurBigBook.com over 9 years
  
  Possibly same on server fault: serverfault.com/questions/263530/…
SundayMonday over 12 years

Ok. How can I configure my machine and/or Wireshark to see HTTPS traffic?
Andy Finkenstadt over 12 years

HTTPS usually travels across port 443, rather than HTTP traffic on port 80. What happens if you set your wireshark configuration to watch ALL traffic, and not just specific ports' worth of traffic?
SundayMonday over 12 years

Cool! I can see HTTPS traffic in my log file. How can I determine which traffic is coming from the iOS device?
Jano over 12 years

You get lines like 14:18:52.276484 IP 89.17.221.55.http > 10.0.2.2.49502 one of those is the IP of your device, that you can look up going to Settings > Wi-Fi and pressing the arrow on the network you are connected to. It's easier to read if you bother to install tcpflow. You have to installi macports and then do sudo port install tcpflow, usage is: sudo tcpflow -i en1 port 443.
zaph almost 11 years

Still no answer to the OP's question: "How can I configure".