Wireshark
Intro
My notes on using Wireshark for various tasks.
Documentation
Capture Filters: https://wiki.wireshark.org/CaptureFilters
A Wiki on Wireshark: https://en.wikiversity.org/wiki/Wireshark/HTTPS
Wiki on Wireshark TLS; https://wiki.wireshark.org/TLS
Tips and Tidbits
It appears that you can’t use wildcards in capture filters (eg “host = *.googleapis.com”) but you can do regular expressions for the display filter (eg
dns.qry.name contains "-mifd.com"
ordns.qry.name matches "ntp[12]-mifd.com"
)
Show Domain Names Instead Of IP Addresses
To show the domain names instead of a host’s IP address, select: View → Name Resolution → Resolve Network Addresses
Capture HTTPS Handshake Traffic
Captures all HTTPS traffic regardless of host
tcp port 443
View HTTPS (TLS/SSL) traffic
Type
tls
as a view filter. You can also limit the exchange to a particular host with its IP address:ip.addr == xxx.xxx.xxx.xx