How can I filter https when monitoring traffic with Wireshark?

Solution 1:

tcp.port==443 in the filter window (mac)

Solution 2:

As 3molo says. If you're intercepting the traffic, then port 443 is the filter you need. If you have the site's private key, you can also decrypt that SSL . (needs an SSL-enabled version/build of Wireshark.)

See http://wiki.wireshark.org/SSL


Solution 3:

"port 443" in capture filters. See http://wiki.wireshark.org/CaptureFilters


It will be encrypted data though.


Solution 4:

Filter tcp.port==443 and then use the (Pre)-Master-Secret obtained from a web browser to decrypt the traffic.

Some helpful links:

https://security.stackexchange.com/questions/35639/decrypting-tls-in-wireshark-when-using-dhe-rsa-ciphersuites/42350#42350

https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/

"Since SVN revision 36876, it is also possible to decrypt traffic when you do not possess the server key but have access to the pre-master secret... In short, it should be possible to log the pre-master secret to a file with a current version of Firefox, Chromium or Chrome by setting an environment variable (SSLKEYLOGFILE=). Current versions of QT (both 4 and 5) allow to export the pre-master secret as well, but to the fixed path /tmp/qt-ssl-keys and they require a compile time option: For Java programs, pre-master secrets can be extracted from the SSL debug log, or output directly in the format Wireshark requires via this agent." (jSSLKeyLog)


Solution 5:

You can use the "tls" filter:

enter image description here

TLS stands for Transport Layer Security, which is the successor to the SSL protocol. If you're trying to inspect an HTTPS request, this filter may be what you're looking for.