Using Wireshark for Packet Capture, Filtering, and HTTPS Analysis

In daily testing work, whether for client‑side or server‑side testing, packet capture tools are essential for verifying the data exchanged between client and server. While Fiddler is a popular Windows‑only web proxy tool, Wireshark is an open‑source, cross‑platform packet sniffer that captures data directly from the network interface, providing more detailed packets.

Installation and basic usage: Download the appropriate installer from the official website (https://www.wireshark.org/download.html). The main toolbar includes buttons for starting, stopping, restarting captures, and capture options. Below the toolbar is the capture filter field, and a list of network interfaces can be selected for capture.

Captured packets are displayed according to the OSI seven‑layer model, showing detailed information for each layer.

Filters

Because Wireshark captures low‑level network packets, the amount of data can be large. Wireshark provides two types of filters to help narrow down the data:

Capture filters : Set before starting a capture to limit which packets are saved, reducing log size. Example syntax:

Show TCP packets with destination port 8080: tcp dst port 8080

Show packets from source IP 192.168.171.201: ip src host 192.168.171.201

Display (show) filters : Applied to captured data at any time, offering more powerful and complex filtering. Example syntax:

Source address in 192.168.171.0/24: ip.src == 192.168.171.0/24

All HTTP POST requests: http.request.method == "POST"

Packets with TCP SYN flag set: tcp.flags.syn == 0x02

HTTP requests whose URL contains "baidu": http.request.uri contains "baidu"

Analyzing HTTPS with Wireshark

1. What is HTTPS? HTTPS is HTTP over SSL/TLS. SSL (Secure Sockets Layer) evolved into TLS (Transport Layer Security), which operates between the TCP and application layers, providing authentication and encryption.

2. SSL/TLS handshake process The handshake establishes identity and negotiates encryption keys. The article shows a simplified diagram and corresponding packet captures for each step (ClientHello, ServerHello, Certificate, ServerKey Exchange, ServerHello Done, ClientKey Exchange, ChangeCipherSpec, Finished, etc.), each illustrated with images.

... (additional handshake step images omitted for brevity) ...

3. Decrypting HTTPS traffic To view the plaintext HTTP request inside an HTTPS session, the encryption keys must be available. Browsers like Chrome and Firefox can export session keys by setting the environment variable SSLKEYLOGFILE to a file path. After capturing traffic, import this key log file in Wireshark via Edit → Preferences → Protocols → SSL/TLS, specifying the file path.

Once the key file is loaded, Wireshark can display the decrypted HTTP request details.

For more tutorials and recommendations, follow the source channel.