Wireshark
Here's some notes on Wireshark, especially filtering results.
Decrypt HTTPS/TLS (SSL)
You need to set an environment variable in a terminal, AND open the browser from that terminal:
SSLKEYLOGFILE=~/brave-keylog.log open -a "Brave Browser.app"
Then, you need to tell Wireshark where to find the key log file: - (Windows: Edit -> Preferences, Mac: Preferences): - Protocols -> TLS -> "Pre-Master Secrete log filename", enter the above path - Name resolution -> Resolve network (IP) Addresses - Start capturing and browse
Filtering as it Captures (more data can be captured, but only display this data**)
ip.dst_host ~ "website.com"
<<< Double quotes work, single quotes do not
ip.src == 192.168.0.65 && tls
<<< filter just my laptop outgoing
_ws.col.info contains "membership" or _ws.col.info contains "blog"
<<< these _ws.col
filters seem to be the most useful to me, in general
ip.src == 192.168.0.65 && tls && (http2.request.full_uri contains "player-results" || http.request.full_uri contains "player-results" || http3.request.full_uri contains "player-results")
<<< mixed results
_ws.col.def_dst ~ "website.com"
<<< my favorite!
** - also useful after the capture is done, and you are examining results.
Wireshark filter "wildcard" on IP ip.addr == 192.168.1.0/24 (use CIDR…)
DNS: dns.qry.name contains "www" (also, you can see DNS protocol with just "dns").
In wireshark, you can just type the protocol to see the protocol, but it has to be in lowercase, not uppercase. dns not DNS, tcp not TCP, etc.
Wireshark filter for date frame.time gt "Jan 15, 2025 00:00:00"
And date range: frame.time gt "Jan 15, 2025 00:00:00" and frame.time lt "Jan 15, 2025 08:20:00"
Capture Filters (won't capture anything but these)
In Wireshark, you can set "capture filters" before the capture to reduce how much is captured, and during/after the capture you can define "display filters" to reduce what is shown. Example capture filters:
host 172.18.5.4
<< just that host
net 192.168.0.0/24
<< range/wildcard for a network of hosts (also can do net 192.168.0.0 mask 255.255.255.0)
source only: src net 192.168.0.0/24
<< (src net 192.168.0.0 mask 255.255.255.0)
destination only: dst net 192.168.0.0/24
Capture filter tcp
works but not dns
? For dns I had to do port 53
. Weird but I guess DNS isn't a "protocol" but a more of a "service"?