Wireshark

Owned by Roger Cruz

Last updated: Aug 18, 2020

1 min read

1 Intro
2 Documentation
3 Tips and Tidbits
4 Show Domain Names Instead Of IP Addresses
5 Capture HTTPS Handshake Traffic
6 View HTTPS (TLS/SSL) traffic

Intro

My notes on using Wireshark for various tasks.

Documentation

Capture Filters: https://wiki.wireshark.org/CaptureFilters
A Wiki on Wireshark: https://en.wikiversity.org/wiki/Wireshark/HTTPS
Wiki on Wireshark TLS; https://wiki.wireshark.org/TLS

Tips and Tidbits

It appears that you can’t use wildcards in capture filters (eg “host = *.googleapis.com”) but you can do regular expressions for the display filter (eg dns.qry.name contains "-mifd.com" or dns.qry.name matches "ntp[12]-mifd.com")

Show Domain Names Instead Of IP Addresses

To show the domain names instead of a host’s IP address, select: View → Name Resolution → Resolve Network Addresses

Capture HTTPS Handshake Traffic

Captures all HTTPS traffic regardless of host

tcp port 443

View HTTPS (TLS/SSL) traffic

Type tls as a view filter. You can also limit the exchange to a particular host with its IP address: ip.addr == xxx.xxx.xxx.xx