Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Monitoring secure web sockets (wss) with wireshark

Tags:

websocket

wireshark

I have an application that uses secure websockets that I am having trouble with.

I would like to use wireshark to debug the problem, however I can not figure out the correct parameters to put into wireshark to monitor and display a secure web socket connection using HTTPS.

Does anyone know of a wireshark filter that would accomplish what I need and if I need to do anything else to monitor secure websockets using wireshark?

like image 451
jgr208 Avatar asked Feb 09 '16 14:02

jgr208

1 Answers

If you want to monitor a WebSocket connection between the browser and a server, then it might be easiest to use the Chrome or Firefox developer tools.

The following applies to WebSockets using the HTTP/1.1, it might not work for WebSockets bootstrapped with HTTP/2 (RFC 8441).
The following steps describe the necessary steps for Wireshark 3.4.0, but it will likely work for newer versions as well.

  1. Because secure WebSocket connections (URI scheme wss) tunnel the data over TLS, the general steps for decrypting TLS traffic with Wireshark apply, see the Wireshark wiki article.
    Depending on your setup these steps and capturing of packets might have to be performed before the WebSocket server is started and before the connection to the client is established.
  2. WebSockets use TCP for transmission, therefore you have to use a Wireshark display filter which only shows the relevant TCP segments.
    For example if your WebSocket server is listening on port 443, you could use the following to show only incoming and outgoing packets to that port: 
    tcp.port == 443
  3. If you performed the previous steps correctly and click on one of the TLS "Application data" packets, it should show a "Decrypted TLS" tab at the left bottom corner:
    Wireshark decrypted TLS tab
  4. If you are using the well-known port 443, then Wireshark is able to detect the HTTP upgrade to WebSocket on its own.
    1. However, if you are using a custom port, you have to tell Wireshark how to decode the packets. To do so right click on any of the packets and select "Decode As...":
      Packet context menu 'Decode As...'
    2. In the new dialog, click on "(none)" in the "Current" column and select "HTTP" from the dropdown:
      Decode as HTTP dropdown
  5. You should now see the HTTP upgrade to the WebSocket protocol and all of the WebSocket messages. Additionally you can inspect their content:
    Decoded WebSocket packets
like image 128
Marcono1234 Avatar answered Dec 23 '22 23:12

Marcono1234
Sign in to Comment

Related questions

How to configure nginx reverse proxy to use SECURE websockets upstream?
How to test Websocket Client with Jest and react-testing-library
Websocket on Android 4.4 with Phonegap
Connecting to Socket.IO server hosted on Azure Mobile Services returns Error
Unable to connect to a websocket
Play framework: WebSocket connection timeout

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!