Wireshark-users: Re: [Wireshark-users] HTTPS sniffing ?
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sun, 06 Jan 2008 14:18:51 -0800
xerces8 wrote:

Is there a (simple) way to sniff HTTPS traffic with wireshark ?
(not just headers, but actual data content)
(like with "HTTP Analyzer" where it is a single click)

If "HTTP Analyzer" is the application from IE Inspector:

	http://www.ieinspector.com/

they say

HTTPS is available if the application uses the Microsoft WININET API (ex. ie, outlook) or Mozilla NSS API. (ex. firefox, thunderbird)

which means that they might have some way of getting decrypted HTTP traffic from the application by, for example, interposing its own library in front of the WinInet or Mozilla NSS API or by using some hooks that those libraries provide, if, in fact, they provide it.

Wireshark isn't an "HTTP analyzer", it's a network analyzer that captures traffic at a much lower level (that's what it's intended to do and what it's designed to do). If it could determine the key needed to decrypt the traffic given only public keys and the raw network traffic, the first "S" in "SSL" and the "S" in "TLS" wouldn't belong there. :-)