Windows 7 Pcap - Capture/Sniff HTTP Packet

Cardinal System

Honorable Member
Joined
Jan 24, 2016
Location
New Hampshire
Hello,

I am working on a Java application that uses Pcap4J and Npcap to monitor network activity on a Windows computer (it's mainly intended to monitor browser activity, but I like the idea of using Pcap to expand it to all network activity). Ultimately, it is going to be a network administrator tool for a small private school. That aside, I am having trouble figuring out how to decrypt HTTP requests that are captured with Npcap and translated to Java object instances through Pcap4J.

I read that you cannot decrpyt TSL traffic unless you control the server or client. This program is running an elevated process on the client computer, but I'm not sure how to obtain the private key, let alone how to decipher the request (I don't even know which cipher is used). Another thing I read said that a Man-In-the-Middle is a possibility. However, I am not sure which Man-In-the-Middle to use, or how to go about implementing it in such a way that it can interact with the Java program.

(There was one more thing I saw that seemed like a solution, but I cannot understand it [I only know so much about how networking works]).

Is there perhaps a Java library that can take care of all the hard work for me? Perhaps there is a native program that is designed to interact with Java?

Any ideas on how to obtain and use the private key, or how to setup a Man-In-the-Middle would be greatly appreciated!

Thanks!
 
If you meant to say you want to decrypt http, you'd have to generate or use an issued cert from a CA, install the cert on the computer and then proxy traffic on a for the browser to a localhost : port and then decrypt with your cert. Self-signed or otherwise non-trusted issued certs will throw cert error pages for everything and that's just a bad idea.
 
A better idea if you really need to decrypt traffic would be the following
  • Assuming there is a PKI setup deploy the PKI CA cert into the trusted root store on all Windows machines.
  • Setup a network proxy server that uses that a cert generated from the PKI CA to decrypt traffic
  • Set the default gateway on all the windows machines to the web proxy
  • Block all traffic (web or whatever you wish to monitor) from any address except the proxy on a network firewall. (This way all traffic has to flow through the proxy)
 
http isn't encrypted. https is.
If you meant to say you want to decrypt http, you'd have to generate or use an issued cert from a CA, install the cert on the computer and then proxy traffic on a for the browser to a localhost : port and then decrypt with your cert. Self-signed or otherwise non-trusted issued certs will throw cert error pages for everything and that's just a bad idea.
A better idea if you really need to decrypt traffic would be the following
  • Assuming there is a PKI setup deploy the PKI CA cert into the trusted root store on all Windows machines.
  • Setup a network proxy server that uses that a cert generated from the PKI CA to decrypt traffic
  • Set the default gateway on all the windows machines to the web proxy
  • Block all traffic (web or whatever you wish to monitor) from any address except the proxy on a network firewall. (This way all traffic has to flow through the proxy)
So I guess there is no easy way that only involves the individual computers? I have to configure the modem one way or another, and play around with certificates?
 
No not really. You need to make your application listen on localhost and whatever port. Then in each browser turn on the proxy settings and point it to localhost and the port your application listens on. Your application would then present the cert and it either needs to be trusted on the server or the user would get a warning. Then your application could decrypt the traffic with the private key and then make the real connection to the third party site.
 
No not really. You need to make your application listen on localhost and whatever port. Then in each browser turn on the proxy settings and point it to localhost and the port your application listens on. Your application would then present the cert and it either needs to be trusted on the server or the user would get a warning. Then your application could decrypt the traffic with the private key and then make the real connection to the third party site.
I guess the only way I can work my way around this problem - with my limited knowledge - is to use something like Selenium.
 
Back
Top Bottom