Wireshark

January 12, 2025 full-stack note-to-self

Here's some notes on Wireshark, especially filtering results.

Decrypt HTTPS/TLS (SSL)

You need to set an environment variable in a terminal, AND open the browser from that terminal:

SSLKEYLOGFILE=~/brave-keylog.log open -a "Brave Browser.app"

Then, you need to tell Wireshark where to find the key log file: - (Windows: Edit -> Preferences, Mac: Preferences): - Protocols -> TLS -> "Pre-Master Secrete log filename", enter the above path - Name resolution -> Resolve network (IP) Addresses - Start capturing and browse

Filtering as it Captures (more data can be captured, but only display this data**)

ip.dst_host ~ "website.com" <<< Double quotes work, single quotes do not

ip.src == 192.168.0.65 && tls <<< filter just my laptop outgoing

_ws.col.info contains "membership" or _ws.col.info contains "blog" <<< these _ws.col filters seem to be the most useful to me, in general

ip.src == 192.168.0.65 && tls && (http2.request.full_uri contains "player-results" || http.request.full_uri contains "player-results" || http3.request.full_uri contains "player-results") <<< mixed results

_ws.col.def_dst ~ "website.com" <<< my favorite!

** - also useful after the capture is done, and you are examining results.


Wireshark filter "wildcard" on IP ip.addr == 192.168.1.0/24 (use CIDR…)

DNS: dns.qry.name contains "www" (also, you can see DNS protocol with just "dns").

In wireshark, you can just type the protocol to see the protocol, but it has to be in lowercase, not uppercase. dns not DNS, tcp not TCP, etc.

Wireshark filter for date frame.time gt "Jan 15, 2025 00:00:00"

And date range: frame.time gt "Jan 15, 2025 00:00:00" and frame.time lt "Jan 15, 2025 08:20:00"

Capture Filters (won't capture anything but these)

In Wireshark, you can set "capture filters" before the capture to reduce how much is captured, and during/after the capture you can define "display filters" to reduce what is shown. Example capture filters:

host 172.18.5.4 << just that host

net 192.168.0.0/24 << range/wildcard for a network of hosts (also can do net 192.168.0.0 mask 255.255.255.0)

source only: src net 192.168.0.0/24 << (src net 192.168.0.0 mask 255.255.255.0)

destination only: dst net 192.168.0.0/24

Capture filter tcp works but not dns? For dns I had to do port 53. Weird but I guess DNS isn't a "protocol" but a more of a "service"?