Recently I get confused on how to sniff HTTPS traffic, I think I need a proxy and it turns out correct. I setup a proxy chain by using stunnel.
I use two machines (which is not optimal), one is used for executing command and serving stunnel server; then other one is used for stunnel client and sniffing.
A stunnel server resides on targeted machine and acted like server hosting HTTPS traffic. A client (which effectively still a server) accepts traffic from server and sends to where you define it to go (by configuration).
Server configuration,
debug = 3
#foreground = yes
pid =
[server]
client = no
cert= ./server.pem
accept = 127.0.0.1:443
connect = 10.40.149.13:4434
Clinet configuration,
debug = 3
#foreground = yes
pid =
[client]
client = yes
accept = 0.0.0.0:4434
connect = openapi.mytest.cn:443
Still you need to make sure that in the machine where server resides on, you should have "${IP} openapi.mytest.cn" in your /etc/hosts
,
in order to force your client to use local proxy server.
sudo tcpdump -ieth0 -s0 -w ./captured.pcap 'port 4434 and tcp'
Then download captured.pcap and visualize result with wireshark.