0

Thanks for your time. I'd like to find a way if a client has made a 'GET' or a 'POST' request for twitter.

We are currently doing an educational project and we wanted to understand how we can achieve this.

Setup:

  1. We are using Wireshark for Sniffing twitter's traffic.

  2. We are getting a lot of data packets, the question is: How do i differentiate between a GET and a POST request? Is this possible?

Note: I understand that Twittter uses HTTPS to encrypt traffic. But, if i'm not mistaken, POST/GET call(request) happens before the certificate exchange. I'm just interested if the call is GET/POST. (I'm not interested in data)

Thanks, R

Dark Knight
  • 111
  • 1
  • 4
  • 5
    First, you will need to decrypt the SSL traffic. – EEAA Sep 04 '14 at 22:44
  • I understand. I don't want any data from the traffic. I'm not interested in the data. But, I believe GET/POST call is made before the certificate exchange happens. I just want to understand if the user has made a "GET" call or a "POST" call – Dark Knight Sep 04 '14 at 22:51
  • 3
    That is very much incorrect. – EEAA Sep 04 '14 at 22:52
  • Thanks @EEAA for clarifying. Could you please enlighten? I'm sorry I'm just learning programming and I'm very new. I'd really appreciate if you can correct me. – Dark Knight Sep 04 '14 at 22:55
  • if you tried what you propose, you could look in wireshark and use a filter of https and look at the packets directly. You would see the method is not available to you. – Ry Jones Sep 04 '14 at 23:03
  • Can we speak of anything using Packet size, Payload Length or any other information that we have? Are they any different for GET/PUT/POST request? Even an approximation would be nice. – Dark Knight Sep 04 '14 at 23:10

1 Answers1

5

You cannot decipher HTTPS traffic unless you do one of the following:

  1. Have the private key
  2. Do a Man-In-The-Middle attack where you intercept the SSL request, pretend to be the end client, decrypt it, inspect it, and then re-encrypt the data with your own root certificate and send it on to your end-client that trusts your root certificate.

What you can glean from the request:

  • Source IP
  • Source Port
  • Destination IP
  • Destination Port
  • Hostname (if the server, and the client, are using SNI)

Let's assume that you have a method of reading this HTTPS traffic, or are using regular HTTP. Then you need to read up on your RFC2616 to see how a HTTP packet is structured. Wireshark can decode these natively, so in the header you would see a GET or a POST directive.

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255