First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

What displayfilter to use to see http to Https redirect.

  • retag add tags

Example. I visit http://www.google.com/ and I am redirected to Https://www.google.com/. Where can I see that redirect?

SyRex1013's avatar
1
SyRex1013
asked 2018-12-09 08:19:25 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

Okay, that's a tricky combination. Let's see, we have:

  • A request for a HTTP address
  • A response with a redirect
  • The redirect must point to a HTTPS address

Since the filter has to hit on the response, we have no access to the original request. But we do know it's to an HTTP address, so we may assume the server TCP port used is 80.

The redirect is done with the HTTP response code 302. That is clearly present in the response.

The redirect also must contain a HTTP location header, which according to the stated question, must have "https://" in the address.

Using this combination I would probably arrive at this filter:

(tcp.srcport == 80) && (http.response.code == 302) && (http.location contains "https://")

Jaap's avatar
13.7k
Jaap
answered 2018-12-09 10:26:22 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Hello, Thanks for the response, but it is not working for me. Maybe I'm doing something wrong. I type http://www.google.com/ and I get redirected to https://www.google.com/. U applied your filter but I dont see any packets.

SyRex1013's avatar SyRex1013 (2018-12-09 10:48:54 +0000) edit
more
  • delete

Of course wireshark is running on a computer where I open website

SyRex1013's avatar SyRex1013 (2018-12-09 10:52:30 +0000) edit
more
  • delete

Are you certain that there is a redirect?

I ran Wireshark and then typed "http://www.google.com" into my browser, but I don't see any HTTP-over-TCP traffic to www.google.com - it appears that the browser tried HTTP-over-TLS without trying HTTP-over-TCP first. (That even happens if I try http://www.google.com:80!)

Perhaps Safari either just tries HTTP-over-TLS first for all attempts, or remembers that it's used HTTP-over-TLS in the past for www.google.com and tries it first? Perhaps your browser does the same?

Guy Harris's avatar Guy Harris (2018-12-09 11:33:17 +0000) edit
more
  • delete

e.g., https://www.eff.org/https-everywhere

Jaap's avatar Jaap (2018-12-09 11:45:06 +0000) edit
more
  • delete

Then Can I detect Http over tls? I'm trying to setup proxy which will drop packets that redirect http to https. It works like sslstrip. So Can i detect http over tls?

SyRex1013's avatar SyRex1013 (2018-12-09 11:56:12 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer