Reading HTTP cookies with Wireshark is fun. This is how to capture cookies when visiting a website that still uses HTTP instead of HTTPS.
Use this filter to view all cookies after visiting a website.
http.cookie |
This is a sample packet I captured from a website. This will not work for a modern SSL secured website unless you have the private key to decode the packets.
0000 c8 14 51 5f a9 47 fc 34 97 a5 bc 7e 08 00 45 00 ..Q_.G.4...~..E. 0010 02 58 29 74 40 00 80 06 00 00 c0 a8 01 02 22 ce .X)t@.........". 0020 d8 d1 c9 22 00 50 a7 94 35 cd 88 39 c3 f2 50 18 ...".P..5..9..P. 0030 03 fe bf 94 00 00 50 4f 53 54 20 2f 64 69 73 70 ......POST /disp 0040 61 74 63 68 2f 63 61 72 67 6f 73 69 74 65 2f 63 atch/cargosite/c 0050 61 72 67 6f 55 73 65 48 69 52 65 73 20 48 54 54 argoUseHiRes HTT 0060 50 2f 31 2e 31 0d 0a 48 6f 73 74 3a 20 63 61 72 P/1.1..Host: car 0070 67 6f 63 6f 6c 6c 65 63 74 69 76 65 2e 63 6f 6d gocollective.com 0080 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f ..User-Agent: Mo 0090 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f zilla/5.0 (Windo 00a0 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 ws NT 10.0; Win6 00b0 34 3b 20 78 36 34 3b 20 72 76 3a 39 37 2e 30 29 4; x64; rv:97.0) 00c0 20 47 65 63 6b 6f 2f 32 30 31 30 30 31 30 31 20 Gecko/20100101 00d0 46 69 72 65 66 6f 78 2f 39 37 2e 30 0d 0a 41 63 Firefox/97.0..Ac 00e0 63 65 70 74 3a 20 61 70 70 6c 69 63 61 74 69 6f cept: applicatio 00f0 6e 2f 6a 73 6f 6e 2c 20 74 65 78 74 2f 6a 61 76 n/json, text/jav 0100 61 73 63 72 69 70 74 2c 20 2a 2f 2a 0d 0a 41 63 ascript, */*..Ac 0110 63 65 70 74 2d 4c 61 6e 67 75 61 67 65 3a 20 65 cept-Language: e 0120 6e 2d 55 53 2c 65 6e 3b 71 3d 30 2e 35 0d 0a 41 n-US,en;q=0.5..A 0130 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67 3a 20 ccept-Encoding: 0140 67 7a 69 70 2c 20 64 65 66 6c 61 74 65 0d 0a 43 gzip, deflate..C 0150 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 ontent-Type: app 0160 6c 69 63 61 74 69 6f 6e 2f 78 2d 77 77 77 2d 66 lication/x-www-f 0170 6f 72 6d 2d 75 72 6c 65 6e 63 6f 64 65 64 0d 0a orm-urlencoded.. 0180 58 2d 52 65 71 75 65 73 74 65 64 2d 57 69 74 68 X-Requested-With 0190 3a 20 58 4d 4c 48 74 74 70 52 65 71 75 65 73 74 : XMLHttpRequest 01a0 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 ..Content-Length 01b0 3a 20 39 0d 0a 4f 72 69 67 69 6e 3a 20 68 74 74 : 9..Origin: htt 01c0 70 3a 2f 2f 63 61 72 67 6f 63 6f 6c 6c 65 63 74 p://cargocollect 01d0 69 76 65 2e 63 6f 6d 0d 0a 44 4e 54 3a 20 31 0d ive.com..DNT: 1. 01e0 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 .Connection: kee 01f0 70 2d 61 6c 69 76 65 0d 0a 52 65 66 65 72 65 72 p-alive..Referer 0200 3a 20 68 74 74 70 3a 2f 2f 63 61 72 67 6f 63 6f : http://cargoco 0210 6c 6c 65 63 74 69 76 65 2e 63 6f 6d 2f 6a 61 79 llective.com/jay 0220 73 65 2f 41 76 65 6e 67 65 72 73 0d 0a 43 6f 6f se/Avengers..Coo 0230 6b 69 65 3a 20 50 48 50 53 45 53 53 49 44 3d 39 kie: PHPSESSID=9 0240 30 6a 64 36 6d 64 69 64 68 67 39 6f 6c 72 63 6e 0jd6mdidhg9olrcn 0250 32 68 74 36 35 68 68 75 35 0d 0a 0d 0a 75 73 65 2ht65hhu5....use 0260 3d 66 61 6c 73 65 =false |
The screenshot below shows what the packet capture looks like in Wireshark. This is pretty interesting.
Below is our cookie in plain text format.
ÈQ_©Gü4¥¼~EX)t@À¨"ÎØÑÉ"P§5Í9ÃòPþ¿POST /dispatch/cargosite/cargoUseHiRes HTTP/1.1 Host: cargocollective.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0 Accept: application/json, text/javascript, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Content-Length: 9 Origin: http://cargocollective.com DNT: 1 Connection: keep-alive Referer: http://cargocollective.com/jayse/Avengers Cookie: PHPSESSID=90jd6mdidhg9olrcn2ht65hhu5 use=false |
Below is a request for a certain image file from the website.
ÈQ_©Gü4¥¼~E«)m@À¨"ÎØÑÉ$P°oÒAtzÎ7P¾çGET /_gfx/loadingAnim.gif HTTP/1.1 Host: cargocollective.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0 Accept: image/avif,image/webp,*/* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: http://cargocollective.com/jayse/Avengers Cookie: PHPSESSID=90jd6mdidhg9olrcn2ht65hhu5 |
This is an HTTP GET request.
This filter example allows a user to check if a person is accessing a certain website, even if it is SSL encrypted.
ssl.handshake.extensions_server_name == "www.google.com" |
This is what the summary looks like, the actual packet text is encrypted, but at least you may be alerted when a user accesses a certain site.
144921 319.308139 192.168.1.2 142.250.66.228 TLSv1.3 571 Client Hello |
Using this filter example, you may check if a particular machine is accessing a website.
ip.addr == 192.168.1.2 && ssl.handshake.extensions_server_name == "www.google.com" |
This is the hex+ascii dump that tells us the information we need. So this would be great to monitor Internet traffic on your LAN and see what websites others are accessing.
0000 c8 14 51 5f a9 47 fc 34 97 a5 bc 7e 08 00 45 00 ..Q_.G.4...~..E. 0010 02 2d eb c6 40 00 80 06 00 00 c0 a8 01 02 8e fa .-..@........... 0020 42 e4 ca a1 01 bb 36 b0 c0 9b 67 d3 17 b3 50 18 B.....6...g...P. 0030 04 01 95 a8 00 00 16 03 01 02 00 01 00 01 fc 03 ................ 0040 03 dc 73 f9 72 8f c2 2a 7d 6c a1 49 ec 12 77 00 ..s.r..*}l.I..w. 0050 48 7d 0f 5e d8 78 c5 31 61 30 e4 ec 91 aa 0d 95 H}.^.x.1a0...... 0060 ec 20 36 a9 a2 14 a3 65 8f 0c 78 19 62 4e 60 d7 . 6....e..x.bN`. 0070 d7 1f 9c ab 09 e1 59 1e 4f b0 e0 c4 b0 41 eb f8 ......Y.O....A.. 0080 8d 79 00 22 13 01 13 03 13 02 c0 2b c0 2f cc a9 .y.".......+./.. 0090 cc a8 c0 2c c0 30 c0 0a c0 09 c0 13 c0 14 00 9c ...,.0.......... 00a0 00 9d 00 2f 00 35 01 00 01 91 00 00 00 13 00 11 .../.5.......... 00b0 00 00 0e 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f ...www.google.co 00c0 6d 00 17 00 00 ff 01 00 01 00 00 0a 00 0e 00 0c m............... 00d0 00 1d 00 17 00 18 00 19 01 00 01 01 00 0b 00 02 ................ 00e0 01 00 00 23 00 00 00 10 00 0e 00 0c 02 68 32 08 ...#.........h2. 00f0 68 74 74 70 2f 31 2e 31 00 05 00 05 01 00 00 00 http/1.1........ 0100 00 00 22 00 0a 00 08 04 03 05 03 06 03 02 03 00 .."............. 0110 33 00 6b 00 69 00 1d 00 20 92 4c 37 40 e2 60 76 3.k.i... .L7@.`v 0120 e9 09 be 85 84 93 b3 b4 b0 2b fc ff b1 e2 38 5e .........+....8^ 0130 71 e9 0a dc 39 fb 63 a7 76 00 17 00 41 04 3d 97 q...9.c.v...A.=. 0140 ca 32 4d 69 fd a5 87 44 d8 c5 08 bb 29 a3 9b 5f .2Mi...D....).._ 0150 ed 42 d2 89 6d af 3e 88 2b 4d 9a ca ee ad 0b 3e .B..m.>.+M.....> 0160 08 aa 50 fe 2d 27 18 b6 c1 8b 79 4d 2f 3c 4c 7d ..P.-'....yM/<L} 0170 18 ee 0e ce 39 0e 10 53 76 84 5e 4d 2e 46 00 2b ....9..Sv.^M.F.+ 0180 00 05 04 03 04 03 03 00 0d 00 18 00 16 04 03 05 ................ 0190 03 06 03 08 04 08 05 08 06 04 01 05 01 06 01 02 ................ 01a0 03 02 01 00 2d 00 02 01 01 00 1c 00 02 40 01 00 ....-........@.. 01b0 15 00 88 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0230 00 00 00 00 00 00 00 00 00 00 00 ........... |
This filter will list all packets where a user has accessed an SSL website. This enables an administrator to view all visited websites and then see if any are dubious.
ssl.handshake.extensions_server_name |
How to send a custom message in a ping packet and decode it with Wireshark.
This is a cool way to communicate!
Filter for a specific time frame in Wireshark.
https://securitronlinux.com/bejiitaswrath/filter-for-a-specific-time-frame-in-wireshark/.