1

I was reading this paper on SSL/TLS from the SANS Reading Room on how to capture and decrypt your own SSL traffic with Wireshark. I wanted to capture the credentials used to login to gmail. When the TLS handshake takes place, the browser and the server agree to communicate over SPDY.

SPDY is very new to me. On the wire it looks a bit different than HTTP. I can see the decrypted packets in Wireshark if I filter by 'SPDY'. But I just cannot pin down the packet that contain the credentials. I do a search for the string that contains my password and it returns nothing. I am wondering whether the credentials appear different in SPDY than they do in HTTP. Although when I use the Live HTTP Headers add-on I can definitely see the password.

Looking for some hints on how to search for user credentials within a gmail session over SPDY. Thanks!

RoraΖ
  • 12,317
  • 4
  • 51
  • 83
user1720897
  • 603
  • 2
  • 10
  • 18

1 Answers1

3

I am not an expert of how Gmail login works, but I am guessing it relies on cookies, which are normal HTTP headers.

In SPDY, HTTP headers are gzip compressed in the SYN_STREAM frame on a per-connection basis (not per-frame), and that is why you cannot search for strings representing header values like you can do with plain HTTP.

Wireshark has a SPDY plugin that will do this decompression for you (which is not trivial to do by hand), so that Wireshark will show you the actual decompressed headers.

There are also a number of videos online that show how to decrypt SSL and SPDY traffic that you can lookup, and that show how Wireshark can decompose SPDY frames into human readable format, for example this one.

sbordet
  • 131
  • 3