Lab - Using Wireshark to Examine HTTP and HTTPS

Lab 4.6.6.5 – Using Wireshark to Examine HTTP and HTTPS

This lab has been updated for use on NETLAB+.
www.netdevgroup.com

Objectives
Part 1: View HTTP traffic
Part 2: Capture and view HTTPS traffic

Background / Scenario
HyperText Transfer Protocol (HTTP) is an application layer protocol that presents data via a web browser.
With HTTP, there is no safeguard for the exchanged data between two communicating devices.
With HTTPS, encryption is used via a mathematical algorithm. This algorithm hides the true meaning of the
data that is being exchanged. This is done through the use of certificates that can be viewed later in this lab.
Regardless of HTTP or HTTPS, it is only recommended to exchange data with websites that you trust. Just
because a site uses HTTPS does not mean it is a trustworthy site. Threat actors commonly use HTTPS to
hide their activities.
In this lab, you will explore HTTP and HTTPS traffic using Wireshark.

Part 1: View HTTP traffic

In this part, you will use captured packet capture (pcap) files that can be analyzed using different
applications that read pcap files, including Wireshark.

Step 1: Start the virtual machine and log in.

Start the CyberOps W orkstation VM. Use the following user credentials:
Username: analyst
Password: cyberops

Step 2: View the HTTP capture.

The httpdump.pcap file is located in the home directory for the user analyst.
a. Click the File Manger icon on the desktop and browse to the ~/lab.support.files/pcaps/ folder for the
user analyst. Double-click the httpdump.pcap file to open it in Wireshark.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 4
 Lab - Using Wireshark to Examine HTTP and HTTPS

b. In the Wireshark application, filter for http and click Apply.

c. Browse through the different HTTP messages and select the POST message.

d. In the lower window, the message is displayed. Expand the HTML Form URL Encoded: application/x-
www-form-urlencoded section.

What two pieces of information are displayed?

e. Close the Wireshark application.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 4
 Lab - Using Wireshark to Examine HTTP and HTTPS

Part 2: View HTTPS Traffic

In comparison, HTTPS records will be analyzed using Wireshark.

Step 1: View the HTTPS capture.

The tcpdump executed in Step 1 printed the output to a file named httpsdump.pcap. This file is located in the
home directory for the user analyst.

a. In the ~/lab.support.files/pcaps/ directory for the user analyst, open the httpsdump.pcap file.

b. In the Wireshark application, expand the capture window vertically and then filter by HTTPS traffic via port
443.
Enter tcp.port==443 as a filter, and click Apply.

c. Browse through the different HTTPS messages and select an Application Data message.

d. In the lower window, the message is displayed.

What has replaced the HTTP section that was in the previous capture file?

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 4
 Lab - Using Wireshark to Examine HTTP and HTTPS

e. Completely expand the Secure Sockets Layer section.

f. Click the Encrypted Application Data.

Is the application data in a plaintext or readable format?

g. Close all windows.

Reflection
1. What are the advantages of using HTTPS instead of HTTP?

2. Are all websites that use HTTPS considered trustworthy?

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 4