Skip to content

Instantly share code, notes, and snippets.

@dfrankland

dfrankland/how_to_use_wireshark_with_nodejs.md

Created May 28, 2020 05:06
Show Gist options
  • Star 11 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
  • Save dfrankland/0fec2cd565f1f7b78fb0e3ededf36b89 to your computer and use it in GitHub Desktop.
Save dfrankland/0fec2cd565f1f7b78fb0e3ededf36b89 to your computer and use it in GitHub Desktop.
Download ZIP
How to use Wireshark with Node.js (especially with HTTPS / TLS / SSL)
Raw
how_to_use_wireshark_with_nodejs.md

How to use Wireshark with Node.js (especially with HTTPS / TLS / SSL)

It can be difficult to trace network traffic from a Node.js application. Typically, folks will just instrument some logging to check that everything is working as it is supposed to. Unfortunately, sometimes there are too many abstractions or possible race conditions to accurately get a good trace. To get the most objective possible trace of network traffic Wireshark can be used.

Wireshark is a network protocol analyzer that makes it extremely simple to capture and trace network activity from any source on your computer. It also has tools built in to decrypt traffic like that of HTTPS (TLS / SSL).

Setup

In the case of capturing HTTPS (TLS / SSL) traffic, there is some setup before capturing traffic. If all you need is to capture unencrypted HTTP, then skip to the Wireshark installation, since Wireshark can do so out-of-the-box.

SSL key logging for HTTPS (TLS / SSL) decryption

If you'd like to decrypt HTTPS (TLS / SSL) you will need to set a path via an environmental variable to collect SSL keys for use in Wireshark. This same environmental variable works for most browsers and some other applications as well.

export SSLKEYLOGFILE=~/ssl_key_log_file.log

Set the path and file name to whatever you would like.

Node.js SSL key logging

Node.js v12.3.0 introduced a keylog API to store SSL keys, but it can be unwieldy to setup and integrate with existing libraries. It also does not work with the SSLKEYLOGFILE environmental variable. Luckily, there is a simple way to set up using an npm module: sslkeylog. sslkeylog sets up global hooks into the https module to capture any SSL keys used which makes it the recommended way of capturing SSL keys. sslkeylog can be installed with npm like below:

npm i -D sslkeylog

Once sslkeylog is installed, import it and active its hooks before making any HTTP(S) calls. For example:

import sslkeylog from 'sslkeylog';

sslkeylog.hookAll();

// start the application after this

If you use TypeScript, you may need to include a declaration file like below:

// sslkeylog.d.ts

declare module 'sslkeylog';

Once capturing traffic is complete, you can remove all the code related to SSL key logging.

Wireshark

First things first, you must install Wireshark program. On macOS you can use brew to not only install the CLI, but the UI app as well:

brew cask install wireshark

For Wireshark to be able to decrypt HTTPS (TLS / SSL) traffic it needs to read the SSL Key log generated by Node.js or other applications. To configure this for Wireshark, open up the application and then open the preferences for Wireshark. Once the preferences are open, open the "Protocols" dropdown in the left sidebar menu listing and scroll down to "TLS", then click on it. On older versions of Wireshark, look for "SSL" instead of "TLS". Once the settings for "TLS" (or "SSL" for older versions) is open, look for the "(Pre)-Master-Secret log filename" setting and set the path to the same one that was configured above via the SSLKEYLOGFILE environmental variable. You might need to create an empty file at the path given.

Capturing traffic

Now that you are all setup, you can begin capturing traffic. Open up Wireshark and select the capture interface, which for macOS is usually en0 (Wi-Fi).

Once capturing has begun you should start to see logs of all sorts of traffic to be listed, unless you are not connected to the internet.

This traffic can be overwhelming and mostly unrelated to Node.js or the application you are trying to inspect. This where filters come in handy.

For example, to filter requests on a domain:

http.host matches "google.com"

Or to filter on a certain IP address:

ip.addr = 255.255.255.255

Filters can also be combined with conditional operators && and ||.

Once capturing has begun, you can start your app up as normal and try to cause network activity that is in need of being traced.

Hopefully, with a combination with the filters you will be able to find the exact requests and responses you are looking for. If you find either a request or a response you can right click on a line item and select "Follow > HTTP Stream" to see the both of the request and response.

Additionally, you can save any traffic captured for later use or to send to peers for inspection.

@gentoo90
Copy link

gentoo90 commented Oct 7, 2021

NodeJS has --tls-keylog=file CLI option since v12.16.0

@dfrankland
Copy link
Author

Neat, thanks @gentoo90!

@JMMirza
Copy link

JMMirza commented Nov 28, 2021

can you help me out to integrate wireshark with node js application?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment