How can I configure Wireshark to see HTTPS traffic?

Question

I'm testing an iOS application and I just want to see when HTTPS traffic is sent. I'm not interested in the contents of the traffic. How can I configure Wireshark to do this?

This is just to verify that an analytics package is working. I don't have any control over the servers that my app is talking to.

Thanks!

Edit #1: My current Wireshark configuration can see traffic to http://www.duckduckgo.com but not https://www.duckduckgo.com

Answer 1

If you want to decrypt the SSL traffic in order to listen in on it, have a look at the Wireshark Wiki. The explanation is a bit longer, but enables you to decrypt SSL traffic.

You also might want to listen on port 443 instead of 80.. :-)

Answer 2

Set following as a filter after you've started capturing the appropriate network interface:

tcp.port == 443 || tcp.port == 80

This will ensure display of data for only http & https connections that you can further inspect.

Answer 3

An alternative is using your Mac as a Wi-Fi access point and sniffing the traffic with TCPDump. Here are the steps:

• Connect your Mac to your router using an Ethernet cable (the Wi-Fi card will be busy working as access point). Or skip this step if you only want to sniff traffic from the app to your own computer.
• In the Wi-Fi icon of your toolbar, click Create Network. Give it a random name, select security, and set a password.
• In System Preferences > Sharing set To computers using: Wi-Fi. In Wi-Fi Options... choose the network you created before. In Share your connection from:, choose the interface you are getting Internet from, usually Ethernet.
• Enable Internet Sharing, and connect to this new Wi-Fi network from your iPhone.
• Disconnect 3G on your iPhone from Settings > General > Network and check your Internet with Safari. Sometimes it takes a few seconds.
• In your Mac type sudo tcpdump -s 0 -A -i en1 port 443 > log.txt. Use ifconfig if you have a network interface other than en1. The log generated can also be imported by WireShark (which is a GUI version of tcpdump).
• Now all Internet traffic from your iPhone will be recorded.

TCPDump is included with all versions of OS X. For other options, see Technical Q&A QA1176 Getting a Packet Trace.

Answer 4

Yes. Wireshark can watch any and all ethernet traffic made available to it. The issue to solve is whether the machine running Wireshark will see all of the ethernet traffic you are interested in detecting the presence of.