Is it possible to see a packet before encryption?

With the availability of browser extensions, actually reading the traffic should be quite doable. If both the malware and web browser run as the same user (and therefore can write to the browser profile directory), then installation of browser extensions can be done relatively easily.

You can also open the Web Developer Tools, typically accessible by pressing F12 and visit the Networking tab. That will show you all traffic before it is encrypted and pushed onto the network.

The above methods are passive ways that do not interfere with communications. Active methods perform a man in the middle (MitM) attack and actually modify data before it gets forwarded (Tylerl describes an example with Fiddler).


The network traffic out of your browser gets encrypted before the browser calls send() to put it on the network. So to intercept it before encryption, you'd have to intercept it before it's sent at all -- that is, within the browser itself. This isn't impossible, but it's a lot of work.

An alternative is to set up a "Man In The Middle" proxy, such as fiddler, which decrypts the traffic before it leaves your network, inspects it, and then re-encrypts it on its way out. Generally SSL is designed to prevent this, so you'll need some amount of cooperation by your computer to allow it (i.e. your browser will have to trust fiddler's public key) but this is all part of how you set up fiddler, so it's well-enough documented.


The browser (I think) must create that packet and encrypt it afterwards. So if I am on the machine creating those packets, am I able to see them before encryption?

No, that's not how it works. Inside the browser, the data is encrypted and only encrypted data is passed between the browser and the network stack. The network stack splits the encrypted data into packets and re-assembles received encrypted data from packets back into the stream of data for the browser to decrypt. There simply aren't any packets at the level the browser handles, and the browser handles the encryption and decryption.

So your question is based on a false premise.