Login/Register
Monitoring secure web sockets (wss) with wireshark
Asked Answered
websocketwireshark
N

1

10

I have an application that uses secure websockets that I am having trouble with.

I would like to use wireshark to debug the problem, however I can not figure out the correct parameters to put into wireshark to monitor and display a secure web socket connection using HTTPS.

Does anyone know of a wireshark filter that would accomplish what I need and if I need to do anything else to monitor secure websockets using wireshark?

Notify answered 9/2, 2016 at 14:23 Comment(1)
You can use chrome. Take a look at this answer:https://mcmap.net/q/64696/-how-to-view-ws-wss-websocket-request-content-using-firebug-or-other. I believe wireshark will show WSS as TCPFractocumulus
T
4

If you want to monitor a WebSocket connection between the browser and a server, then it might be easiest to use the Chrome or Firefox developer tools.

The following applies to WebSockets using the HTTP/1.1, it might not work for WebSockets bootstrapped with HTTP/2 (RFC 8441).
The following steps describe the necessary steps for Wireshark 3.4.0, but it will likely work for newer versions as well.

  1. Because secure WebSocket connections (URI scheme wss) tunnel the data over TLS, the general steps for decrypting TLS traffic with Wireshark apply, see the Wireshark wiki article.
    Depending on your setup these steps and capturing of packets might have to be performed before the WebSocket server is started and before the connection to the client is established.
  2. WebSockets use TCP for transmission, therefore you have to use a Wireshark display filter which only shows the relevant TCP segments.
    For example if your WebSocket server is listening on port 443, you could use the following to show only incoming and outgoing packets to that port: 
    tcp.port == 443
  3. If you performed the previous steps correctly and click on one of the TLS "Application data" packets, it should show a "Decrypted TLS" tab at the left bottom corner:
    Wireshark decrypted TLS tab
  4. If you are using the well-known port 443, then Wireshark is able to detect the HTTP upgrade to WebSocket on its own.
    1. However, if you are using a custom port, you have to tell Wireshark how to decode the packets. To do so right click on any of the packets and select "Decode As...":
      Packet context menu 'Decode As...'
    2. In the new dialog, click on "(none)" in the "Current" column and select "HTTP" from the dropdown:
      Decode as HTTP dropdown
  5. You should now see the HTTP upgrade to the WebSocket protocol and all of the WebSocket messages. Additionally you can inspect their content:
    Decoded WebSocket packets
Thessalonian answered 8/12, 2020 at 23:13 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.