When monitoring network traffic with Wireshark, HTTPS (HTTP Secure) presents unique challenges because it's encrypted by default. Unlike HTTP which transmits data in plaintext, HTTPS uses TLS/SSL encryption to secure communications. This means you can't directly view the content of HTTPS packets without additional configuration.
For basic protocol identification, you can use these Wireshark display filters:
tcp.port == 443
ssl
tls
These filters will show you packets associated with HTTPS traffic, but won't decrypt the content. The first filter catches all traffic on port 443 (default HTTPS port), while the latter two identify TLS/SSL protocol packets.
To actually view HTTPS content in Wireshark, you need to configure SSL/TLS decryption. This requires obtaining the server's private key or configuring a pre-master secret log:
Method 1: Using Server Private Key
In Wireshark Preferences (Edit → Preferences → Protocols → TLS):
- Add the server's IP address
- Specify the port (typically 443)
- Provide the path to the server's private key file
Method 2: Using Pre-Master Secret
Configure your browser or client to log the pre-master secret:
# For Firefox
export SSLKEYLOGFILE=/path/to/keylogfile.log
# For Chrome/Chromium
--ssl-key-log-file=/path/to/keylogfile.log
Then in Wireshark TLS preferences, point to this log file.
Once decryption is configured, you can use more specific filters:
http.request.method == "GET"
http.host contains "example.com"
http.response.code == 200
http.content_type contains "application/json"
These filters work just like with HTTP traffic once the HTTPS is decrypted.
If you're having trouble decrypting HTTPS traffic:
- Ensure you're capturing the full TLS handshake (start capture before connection)
- Verify the private key matches the server certificate
- Check that the pre-master secret log is being properly written
- Try with a known-good configuration (like localhost testing)
When monitoring network traffic, HTTPS (TCP port 443) appears encrypted in Wireshark by default, unlike HTTP (TCP port 80) which displays plaintext. To properly analyze HTTPS traffic, we need special capture techniques.
The simplest filter to capture all HTTPS packets:
tcp.port == 443
This captures both client and server communication. For more specific filtering:
# Client-side HTTPS requests tcp.srcport == 443 # Server-side HTTPS responses tcp.dstport == 443
To inspect the SSL/TLS handshake process (when encryption is established):
# Filter for SSL/TLS handshake messages ssl.handshake.type == 1 # Client Hello ssl.handshake.type == 2 # Server Hello ssl.handshake.type == 11 # Certificate
For actual content inspection, you'll need to configure Wireshark with the server's private key:
- Go to Edit -> Preferences -> Protocols -> TLS
- Add the private key file (usually .key or .pem)
- Set the correct IP address and port
Example configuration line:
10.0.0.1,443,http,/path/to/server.key
Here's a complete filter to capture HTTPS traffic between specific hosts:
(ip.src == 192.168.1.100 && ip.dst == 104.18.25.46 && tcp.port == 443) || (ip.src == 104.18.25.46 && ip.dst == 192.168.1.100 && tcp.port == 443)
- Ensure you're capturing on the correct network interface
- For localhost traffic, use loopback capture
- Increase Wireshark's capture buffer size for high-traffic networks
- Use
tcp.flags.syn == 1to detect new HTTPS connections