Monitoring HTTPS traffic using tcpflow

Question

I would like to use tcpflow to monitor https requests. I have read tutorials on how to monitor http traffic but when I connect to a host using https the output is garbled. I am using tcpflow in the following manner:

sudo tcpflow -s -c -i eth0 src or dst host api.linkedin.com

score 7 · Accepted Answer · edited Apr 12 '20 at 00:48

7

If you have a copy of the key you can use ssldump which uses a syntax almost identical to tcpdump.

It won't be quite as pretty as tcpflow, but you can get at the encrypted content.

edited Apr 12 '20 at 00:48

Evhz

137
8

answered Nov 22 '12 at 19:31

bahamat

38,658
4
70
103

1

ssldump link is outdated – zygimantus Sep 13 '18 at 17:20

score 3 · Answer 2 · answered Nov 22 '12 at 19:17

3

You're missing the point of HTTPS. You cannot read (much) meaningful information from a HTTPS stream, as the TCP layer encapsulating it is encrypted. Ultimately that means that the data will look like garbage to anyone trying to intercept it (including you).

answered Nov 22 '12 at 19:17

Chris Down

122,090
24
265
262

If I am not mistake I would have to set-up a http proxy, any recommendations? – Ifthikhan Nov 22 '12 at 19:25
This is such an old question! You will need to do a 'MITM attack'. As long as the browser/client trusts the ssl certificate put up by the proxy in the middle. On windows, I recall using some web request sniffer tool that can decrypt ssl traffic, which I used for debugging purposes while developing. Can't recall the name though. Companies monitor ssl traffic these days using this approach. – Kalyan Jan 04 '20 at 21:42

score 2 · Answer 3 · answered Nov 22 '12 at 19:21

2

You can try sslstrip.

More info here

answered Nov 22 '12 at 19:21

int

564
3
3

Monitoring HTTPS traffic using tcpflow

3 Answers3