From time to time it is necessary to debug on network traffic flow.
Necessary in troubleshooting scenarios, but also when you need to understand a given traffic flow.
This post shows some tips that can by used in Wireshark.
When analyzing SSL encrypted traffic, you would need to load the private key into Wireshark. Keep in mind that SSL traffic need to be using RSA cipher/keys in order for Wireshark to be able to decrypt, if traffic is encrypted with ECDHE / Elliptic curve diffie-hellman, wireshark would not be able to decrypt.
Note. When starting network trace, the SSL handshake needs to be captured, so SSL Session Reuse might need to be disabled temporarily on the server side if in use.
How to decrypt SSL traffic in Wireshark
Go to Preferences>Protocols and select “SSL”
Select to edit RSA Keys and input following
(Load the PFX or Key file and insert password)
Filters in Wireshark
In order to filter out specific traffic data in trace, following filters could be used.
http.request.uri contains "xxx"
ip.dst_host contains ""
http.request or http.response contains XXXX
Add extra column based on Delta Time
This can come out handy if you need to see the response time between requests in the trace.
Analyze SSL/TLS Conversion
ssl.handshake.type == 1 provides SSL Client Hello message.
ssl.handshake.type == 2 provides SSL Server Hello + Certificate and key exchange message.
Put in both with an OR operator and go to Statistics>Conversations:
ssl.handshake.type == 1 || ssl.handshake.type == 2
Analyze HTTP Request Response time
Analyzing response times on HTTP Requests with IO Graph.
Configure following filters:
Analyze DNS Response time
DNS traffic natively supplies the time in seconds in the DNS response.
Filter on DNS traffic.
Right Click Time in the DNS Response and select Apply as column in Wireshark. Then dns.time will be applied:
Go to Statistics>IO Graphs and configure as following: