In use before
wiresharkWhen we do protocol analysis, we always think that it can only grasp HTTP packets, so we always use it when we grasp HTTPS packets
FiddlerOne day, however, I suddenly wanted to grab it
HTTP2Take a look at your message,
FiddlerI couldn’t, so I found out after Google
wiresharkIt can be supported, only under specific conditions.
Problems of fiddler
HTTP2Agreement, can’t see the real
HTTP2Some people here may have doubts and say that I will use it clearly
HTTP2Protocol message, that’s because
FiddlerMan in the middle attacks the server and demotes the protocol to
HTTP1Agreement, so what we actually see is the same
HTTP1The message can be intuitively felt through the following two pictures:
- Direct access to services supporting http2 without proxy
- Through proxy access, packet capture
As you can see, when capturing packets through the agent, the protocol becomes
Grabbing with Wireshark
Now the mainstream browsers on the market are all based on http2
TLSThat is to say, we need to analyze
HTTP2We have to go through it first
TLSThis pass, otherwise can only analyze a pile of encrypted garbled code.
wiresharkSupport two ways to decrypt
- Through the private key of the website
- TLS symmetric encryption is stored in the external file for Wireshark encryption and decryption through the browser
Next, I’ll demonstrate them one by one
1. Through the private key of the website
If the website you want to capture is your own, you can use this method, because it needs to use the private key used by the website to generate the certificate for decryption, which is configured on nginx
ssl_certificate_keyAdd the corresponding private key file to the Wireshark configuration
And then through
wiresharkYou can see the clear text:
As you can see from the picture above, I passed
curlAfter configuring the corresponding private key of the server, you can grab the corresponding HTTP plaintext.
However, the disadvantages are also very obvious. We can only analyze the websites with our own private key. If others’ websites can’t be analyzed, fortunately, there is a second scheme to support.
2. Through SSL log function of browser
At present, the scheme only supports
FirefoxBrowser, by setting
SSLKEYLOGFILEEnvironment variables, you can specify the browser in the access
SSL/TLSThe corresponding key is saved to the local file when the website is opened. After having this log file
wireshakeThe message can be decrypted.
Set up first
Note: This is operated on Windows system, the same as other operating systems
- to configure
wireshake, Preferences > protocls > TLS:
Configure the file path specified in the first step
Restart the browser to capture packets:
Similarly, HTTP plaintext can be captured.
Note: remember to delete environment variables when not capturing packages, so as to avoid performance waste and security problems
The advantage of scheme 2 is very obvious, which can capture the information of any website
SSL/TLSThe only disadvantage of encrypted message is that it can only be supported by the browser. Scheme 1 can capture packets for any HTTP client.
Capturing http2 message through wireshake
It’s all about
TLS+HTTP1Carry on the grab bag, the mainstream browser on the market
HTTP2It’s all based on
TLSSo it’s the same
TLSThis layer decrypts the original plaintext.
Here is an analysis
https://www.qq.comFor example, why not classic
htts://www.baidu.comBecause Baidu home page is still
- Use the second scheme above to configure
- Browser access
HTTP2Now, http2 protocol is very complex, and I’m still in the learning stage, so I won’t say much here.
Wireshake is really a very powerful network analysis tool
HTTP2When it is becoming the mainstream, it can be used to help us deepen our understanding of these agreements, so as to meet new opportunities and challenges.
The author of this paper: MonkeyWie
Link to this article: https://monkeywie.github.io/2020/08/07/wireshark-capture-https/
Copyright notice:Except for special announcement, all articles in this blog adoptBY-NC-SALicense agreement. Reprint please indicate the source!