Pcap - Capture/Sniff HTTP Packet

bignose956

Well-Known Member
Hello,

I am working on a Java application that uses Pcap4J and Npcap to monitor network activity on a Windows computer (it's mainly intended to monitor browser activity, but I like the idea of using Pcap to expand it to all network activity). Ultimately, it is going to be a network administrator tool for a small private school. That aside, I am having trouble figuring out how to decrypt HTTP requests that are captured with Npcap and translated to Java object instances through Pcap4J.

I read that you cannot decrpyt TSL traffic unless you control the server or client. This program is running an elevated process on the client computer, but I'm not sure how to obtain the private key, let alone how to decipher the request (I don't even know which cipher is used). Another thing I read said that a Man-In-the-Middle is a possibility. However, I am not sure which Man-In-the-Middle to use, or how to go about implementing it in such a way that it can interact with the Java program.

(There was one more thing I saw that seemed like a solution, but I cannot understand it [I only know so much about how networking works]).

Is there perhaps a Java library that can take care of all the hard work for me? Perhaps there is a native program that is designed to interact with Java?

Any ideas on how to obtain and use the private key, or how to setup a Man-In-the-Middle would be greatly appreciated!

Thanks!
 


Neemobeer

Windows Forum Team
Staff member
http isn't encrypted. https is.
 


Neemobeer

Windows Forum Team
Staff member
If you meant to say you want to decrypt http, you'd have to generate or use an issued cert from a CA, install the cert on the computer and then proxy traffic on a for the browser to a localhost : port and then decrypt with your cert. Self-signed or otherwise non-trusted issued certs will throw cert error pages for everything and that's just a bad idea.
 


Neemobeer

Windows Forum Team
Staff member
A better idea if you really need to decrypt traffic would be the following
  • Assuming there is a PKI setup deploy the PKI CA cert into the trusted root store on all Windows machines.
  • Setup a network proxy server that uses that a cert generated from the PKI CA to decrypt traffic
  • Set the default gateway on all the windows machines to the web proxy
  • Block all traffic (web or whatever you wish to monitor) from any address except the proxy on a network firewall. (This way all traffic has to flow through the proxy)
 


bignose956

Well-Known Member
http isn't encrypted. https is.
If you meant to say you want to decrypt http, you'd have to generate or use an issued cert from a CA, install the cert on the computer and then proxy traffic on a for the browser to a localhost : port and then decrypt with your cert. Self-signed or otherwise non-trusted issued certs will throw cert error pages for everything and that's just a bad idea.
A better idea if you really need to decrypt traffic would be the following
  • Assuming there is a PKI setup deploy the PKI CA cert into the trusted root store on all Windows machines.
  • Setup a network proxy server that uses that a cert generated from the PKI CA to decrypt traffic
  • Set the default gateway on all the windows machines to the web proxy
  • Block all traffic (web or whatever you wish to monitor) from any address except the proxy on a network firewall. (This way all traffic has to flow through the proxy)
So I guess there is no easy way that only involves the individual computers? I have to configure the modem one way or another, and play around with certificates?
 


Neemobeer

Windows Forum Team
Staff member
modem no, certs yes and local proxy settings.
 


bignose956

Well-Known Member
modem no, certs yes and local proxy settings.
I really know nothing about proxies. As far as certs are concerned, I know very little, and I really hate trying to deal with them 😩
I know that Wireshark and Fiddler can achieve what I want, but I'm not sure if they can interact with Java.

I guess there is no easy solution...
 


Neemobeer

Windows Forum Team
Staff member
No not really. You need to make your application listen on localhost and whatever port. Then in each browser turn on the proxy settings and point it to localhost and the port your application listens on. Your application would then present the cert and it either needs to be trusted on the server or the user would get a warning. Then your application could decrypt the traffic with the private key and then make the real connection to the third party site.
 


bignose956

Well-Known Member
No not really. You need to make your application listen on localhost and whatever port. Then in each browser turn on the proxy settings and point it to localhost and the port your application listens on. Your application would then present the cert and it either needs to be trusted on the server or the user would get a warning. Then your application could decrypt the traffic with the private key and then make the real connection to the third party site.
I guess the only way I can work my way around this problem - with my limited knowledge - is to use something like Selenium.
 


This website is not affiliated, owned, or endorsed by Microsoft Corporation. It is a member of the Microsoft Partner Program.
Top