I took a pcap trace when accessing a website using Opera Mini on my mobile, and as Opera Mini uses a socks proxy to tunnel http traffic, the wireshark trace shows most of the packets as socks packets. Is there a way to extract the http payload from this?
Asked
Active
Viewed 8,389 times
1 Answers
7
Once a SOCKS connection has been established and authenticated, all exchanged data afterwards on that same connection is the HTTP data. Locate the first data packet after the SOCKS handshake is complete and tell Wireshark to decode it and all subsequent packets as HTTP instead of SOCKS.
Remy Lebeau
- 555,201
- 31
- 458
- 770
-
How to do `tell Wireshark to decode it and all subsequent packets as HTTP instead of SOCKS`? – huang Jun 05 '21 at 15:56
-
@JokeHuang select/filter the desired packet(s), then right-click, choose "Decode as...", and select HTTP – Remy Lebeau Jun 05 '21 at 16:01
-
That's decode all these port as, not the specified packets. How can I only `decode as` specified packets? – huang Jun 05 '21 at 16:55
-
@JokeHuang you can decode specific packets individually, or you can filter out unwanted packets first and then decode all of the remaining packets in one go. – Remy Lebeau Jun 05 '21 at 17:04
-
How can I decode different rows(packets) as different protocol same time? – huang Jun 05 '21 at 17:11
-
@JokeHuang you have to decode some of the packets one way, and other packets another way. You really should be reading the Wireshark documentation and looking at online tutorials for this stuff. This is not a discussion forum. – Remy Lebeau Jun 05 '21 at 18:45