Wireshark mailing list archives
Re: How to extract cookies from captured packets
From: Erik Hjelmvik <erik.hjelmvik () gmail com>
Date: Sun, 23 Sep 2012 22:41:49 +0200
The easiest way to see cookies in captured packets is to load the pcap file with NetworkMiner and open the "Credentials" tab. You'll be able to see all cookies there. You can download NetworkMiner from here: http://www.netresec.com/?page=Networkminer How to run NetworkMiner in Linux/OS X/FreeBSD: http://www.netresec.com/?page=Blog&month=2011-12&post=No-more-Wine---NetworkMiner-in-Linux-with-Mono Of course, as Sake mentioned, cookies sent over HTTPS will not be seen. But it happens that cookies like this leak via TCP/80 anyway if the "Secure connections only" attribute isn't set for the cookie. I've mentioned it here: http://www.netresec.com/?page=Blog&month=2011-02&post=Webmail-Information-Leakage Good luck! /erik 2012/9/23 Sake Blok <sake () euronet nl>:
On 23 sep 2012, at 18:28, esolve esolve wrote:When I'm browsing a web page, there should be some cookies exchange between my machine and the remote web server. I capture the packets when browsing web pages, is it possible for me to extract cookies from the captured packets? besides, are cookies encrypted when they are in transmission?If the website was not using https, then you are able to see the cookies. Just expand the HTTP tree in the packet details pane of Wireshark. Whether the cookie-values are encrypted depends on the implementation of the web-application. When the website did use https, you can decrypt the traffic, but only if you have posession of the private key of the server. Which you do not have when just browsing a (public) webpage unless you are the site administrator. Cheers, Sake ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
-- blog: http://www.netresec.com/?page=Blog twitter: http://twitter.com/netresec ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- How to extract cookies from captured packets esolve esolve (Sep 23)
- Re: How to extract cookies from captured packets Sake Blok (Sep 23)
- Re: How to extract cookies from captured packets Erik Hjelmvik (Sep 23)
- Re: How to extract cookies from captured packets Sake Blok (Sep 23)