Wireshark-users: Re: [Wireshark-users] follow gzip-encoded ssl conversation
Date Prev · Date Next · Thread Prev · Thread Next
From: Sake Blok <sake@xxxxxxxxxx>
Date: Mon, 1 Apr 2013 08:40:32 +0200
On 30 mrt 2013, at 15:43, Dan wrote:

> Is this actually possible? "Follow TCP stream" gives ascii-encode
> binary garbage.

Which is logical, as the TCP payload is SSL and SSL is encrypted data, which results in random-looking data.

> Export menu contains no HTTP objects.

Also logical, the HTTP traffic is encrypted, as it should be otherwise there was not much use for SSL. However, you can decrypt SSL traffic in Wireshark when you possess the private key of the server. When configured correctly (and meeting the requirements of having the full SSL handshake in the capture file and not using a DH cipher), you will see HTTP objects in the export menu.

> The top pages that come out of google are useless.

Which pages are you referring too?

> There UI has three panes, but they have no names,

Oh... but they do, they're called "Packet List", "Packet Details" and "Packet Bytes"

> and there are no tabs.

What kind of tabs do you want?

> And one cannot go below the SSL layer in the middle pane (whatever the heck it's
> supposed to be called).

See above, it is possible to go below SSL

> I've used ethereal successfully with other protocols, but I've never
> found it friendly (or even rational) in its UI organization.

Then take a look at the "Layout" section in the Preferences and you can change the way UI is organized. And if that does not help, the beauty of Open Source Software is that you are able to make the changes to make it fit your needs...

... and if it does not fit your needs, then you can walk away from it with no harm done (except for the time spent on downloading and testing it) to find the piece of software that does fit your needs.

Cheers,
Sake