使用wireshark监控安全网络套接字(wss) [英] Monitoring secure web sockets (wss) with wireshark

问题描述

我有一个使用安全 websocket 的应用程序，但我遇到了问题.

我想使用wireshark 来调试问题，但是我无法找出正确的参数放入wireshark 以使用HTTPS 监视和显示安全的Web 套接字连接.

有谁知道可以完成我需要的wireshark过滤器，以及我是否需要做任何其他事情来使用wireshark监控安全的websockets?

解决方案

如果您想监视浏览器和服务器之间的 WebSocket 连接，那么使用

如果您使用的是众所周知的端口 443，那么 Wireshark 能够自行检测到 WebSocket 的 HTTP 升级.

1. 但是，如果您使用自定义端口，则必须告诉 Wireshark 如何解码数据包.为此，请右键单击任何数据包并选择解码为...":
   
2. 在新对话框中，单击(无)"；在当前"列并选择HTTP"从下拉列表中:
   

您现在应该会看到 WebSocket 协议的 HTTP 升级和所有 WebSocket 消息.此外，您可以检查它们的内容:

I have an application that uses secure websockets that I am having trouble with.

I would like to use wireshark to debug the problem, however I can not figure out the correct parameters to put into wireshark to monitor and display a secure web socket connection using HTTPS.

Does anyone know of a wireshark filter that would accomplish what I need and if I need to do anything else to monitor secure websockets using wireshark?

解决方案

If you want to monitor a WebSocket connection between the browser and a server, then it might be easiest to use the Chrome or Firefox developer tools.

---

The following applies to WebSockets using the HTTP/1.1, it might not work for WebSockets bootstrapped with HTTP/2 (RFC 8441).
The following steps describe the necessary steps for Wireshark 3.4.0, but it will likely work for newer versions as well.

1. Because secure WebSocket connections (URI scheme wss) tunnel the data over TLS, the general steps for decrypting TLS traffic with Wireshark apply, see the Wireshark wiki article.
   Depending on your setup these steps and capturing of packets might have to be performed before the WebSocket server is started and before the connection to the client is established.
2. WebSockets use TCP for transmission, therefore you have to use a Wireshark display filter which only shows the relevant TCP segments.
   For example if your WebSocket server is listening on port 443, you could use the following to show only incoming and outgoing packets to that port:

   tcp.port == 443
   

3. If you performed the previous steps correctly and click on one of the TLS "Application data" packets, it should show a "Decrypted TLS" tab at the left bottom corner:
   
4. If you are using the well-known port 443, then Wireshark is able to detect the HTTP upgrade to WebSocket on its own.
   1. However, if you are using a custom port, you have to tell Wireshark how to decode the packets. To do so right click on any of the packets and select "Decode As...":
      
   2. In the new dialog, click on "(none)" in the "Current" column and select "HTTP" from the dropdown:
      

5. You should now see the HTTP upgrade to the WebSocket protocol and all of the WebSocket messages. Additionally you can inspect their content:
   

这篇关于使用wireshark监控安全网络套接字(wss)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！