Wireshark

最後更新: 2019-03-15

 


WinPcap driver

 

The WinPcap driver (called NPF) is loaded by Wireshark when it starts to capture live data.

This requires administrator privileges.

Once the driver is loaded, every local user can capture from it until it's stopped again.

Note: Simply stopping Wireshark won't stop the WinPcap driver!

Start the NPF driver by hand

runas /u:administrator "net start npf"

The NetGroup Packet Filter Driver service was started successfully.

 


環境變數 - SSLKEYLOGFILE

 

取得 Firefox & Chrome 的 HTTPS 連線的 private key

Computer -> properties -> "Advance system settings" -> "Environment Variables"

name: SSLKEYLOGFILE

------

導入 Wireshark 來解密

only worked when using RSA for the key exchange mechanism

( 因為此機制的 FS (forward secrecy) 係 broke )

Edit -> Preferences -> Protocols -> SSL -> (Pre)-Master-Secret log filename

 


Stream

 

filter

tcp.stream eq 2