2

I just downloaded wireshark for mac as I am trying to find out exactly where an app is connecting. I need to see the URL and the protocol whether it is https or http.

I am very new to Wireshark and testing in general and as such would require a detailed reply.

I have tried:

tcp.port == 443 || tcp.port == 80

in the filters section but that seems to only be showing me what chrome is trying to connect to.

Please could someone help me.

Luca Gibelli
  • 2,611
  • 1
  • 21
  • 29
JamesG
  • 121
  • 3

2 Answers2

2

Using wireshark

Wireshark doesn't support isolating traffic for a specific app. You would have to close every other app running on your OSX to reduce the noise. Once you find the tcp stream created by the app you can right click on the packet and choose 'Follow TCP stream'.

One better way to do what you are trying to achieve with Wireshark is to setup a VM and run the app inside the VM. Then you can sniff all traffic coming out of the VM by sniffing the VM virtual network interface.

Using nettop

In my opinion wireshark is the wrong tool to do what you need. On MacOSX there is a very helpful tool called nettop. Open a Terminal and run nettop -P to get a summary of all the traffic generated by each application currently running together with their pid,. On my machine I have:

               bytes_in        bytes_out   rx_dupe   rx_ooo
[...]
Skype.27479    1831 KiB        1950 KiB    32 KiB    20 KiB
[...]

Then you take the pid of your app (27479 in this example) and run:

 nettop -p 27479

and you will see where the app is connecting to:

Skype.27479 1836 KiB        1955 KiB    32 KiB    20 KiB
   tcp4 192.168.0.46:49355<->91.190.219.46:12350                                            en0   Established         429 B           694 B       0 B       0 B
   tcp4 192.168.0.46:56325<->52.229.169.31:443                                              en0   Established         421 KiB         205 KiB    29 KiB    20 KiB
   tcp4 192.168.0.46:51753<->157.55.56.149:40016                                            en0   Established         140 KiB         377 KiB   281 B       0 B
   tcp4 192.168.0.46:51751<->13.69.188.18:443                                               en0   Established         117 KiB          84 KiB  2968 B       0 B

You can furtherly restrict the traffic shown to match some rules, but I suggest that you don't: you might be surprised to discover how many apps do not rely just on http/https :)

Run man nettop for more details

Luca Gibelli
  • 2,611
  • 1
  • 21
  • 29
0

Try use a web tracker like Fiddler.

https://www.telerik.com/blogs/introducing-fiddler-for-os-x-beta-1

Daniel PC
  • 86
  • 4