3

Possible Duplicate:
How can I filter https when monitoring traffic with Wireshark?

I want to verify that the analytics package I've added to my iOS app is attempting to talk to the analytics servers (which I don't control). I think the analytics package is communicating via HTTPS. So I'd like to monitor HTTPS traffic (I don't care about decrypting it... I just want to see if it's there).

How can I do this with Wireshark? For example my current Wireshark setup (which is just a default setup) allows me to monitor traffic to http://www.duckduckgo.com but not https://www.duckduckgo.com. Do I need to change some settings in Wireshark?

Thanks!

Community
  • 1
MrDatabase
  • 133
  • 1
  • 1
  • 4

2 Answers2

6

If you don't care about the payload, then just start wireshark on a device somewhere on your network that will see all the traffic. Possibly this means setting up an AP with the wired interface connected to a hub, which your monitoring system is also connected to.

If you want the payload and you don't have the private keys, then there is basically no way to do this easily. If you could do this, then you could basically monitor any SSL traffic. If you have the private keys provided by the server, then the details are covered in the wireshark docs.

I suppose it isn't true to say you can't do it, but doing it requires steps I am not sure are possible on an IOS device. It will take quite a bit of work to actually get this setup.

  • Basically you could setup your own CA. (tinyca is really easy)
  • Install the CA certificate onto the IOS device. (may require using the IOS enterprise management tools)
  • From your CA create a key pair that where the CN corresponds to the site you want to monitor
  • Setup a SSL proxy (e.g. stunnel) using that keypair.
  • Use some monitoring tool on that proxy.
Zoredache
  • 130,897
  • 41
  • 276
  • 420
  • I've also logged traffic on port 443 with tcpdump. Any way to tell which traffic is coming from the iOS device? – MrDatabase Aug 23 '11 at 22:56
  • 1
    look at the source address? If is is the IP of the IOS device, then it came from the IOS device. – Zoredache Aug 23 '11 at 23:00
  • Presumably if rvictl were used so that a tethered iOS device were using the Mac as a network interface (see e.g. http://developer.apple.com/library/mac/#qa/qa1176/_index.html ), there'd be no need to install anything on the device? – Tommy Mar 11 '13 at 22:42
4

Filter on port: tcp.port==443

HostBits
  • 11,796
  • 1
  • 25
  • 39