How to capture HTTP traffic using Wireshark, Fiddler, or tcpdump
Platform Notice: Cloud, Server, and Data Center - This article applies equally to all platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
This is a quick guide to help you capture HTTP traffic for a limited time when requested by support from a single workstation. The information requested can be helpful either for analyzing network traffic issues or for understanding issues with page content loading. This will not cover user tracking over time.
When submitting the captured result to support...
Remember to mention the IP Address of the servers involved so Atlassian Support can use that to filter through the TCP dump. Also, include the timeframe of when you performed the operation requested by support.
Solution
Wireshark
Wireshark is a network protocol analyzer that can be installed on Windows, Linux, and Mac. It provides a comprehensive capture and is more informative than Fiddler.
To use:
- Install Wireshark.
- Open your Internet browser.
- Clear your browser cache.
- Open Wireshark
- Click on "Capture > Interfaces". A pop-up window will display.
- You'll want to capture traffic that goes through your ethernet driver. Click on the
Start
button to capture traffic via this interface. - Visit the URL that you wanted to capture the traffic from.
- Go back to your Wireshark screen and press Ctrl + E to stop capturing.
After the traffic capture is stopped, please save the captured traffic into a
*.pcap
format file and attach it to your support ticket.- If you are using HTTPS, please disable it in your test environment so Wireshark can be used.
- Wireshark cannot sniff traffic within the same machine (localhost) on Windows. If you need to sniff local traffic on Windows, try Fiddler.
Fiddler
Fiddler is a web debugging proxy tool that can capture HTTP(S) traffic. It can run only on Windows.
To use:
- Download Fiddler.
- Open it.
- Clear your browser cache.
Browse to your site. Visit the pages that are problematic and a contrasting non-problematic page if appropriate.
Fiddler can capture local traffic by using the machine's name as the host name rather than 'localhost'.
- Click
File > Save > All Sessions...
. - Attach the resulting file in
.saz
format for Support.
tcpdump
tcpdump is a command line utility to capture network traffic on unix clients like OS X. This tool has lots of options that will not be discussed here. Please ask your Support Agent or read unix/linux manual page tcpdump for more options.
- Open terminal
- Find outgoing interface. These commands will show all of the outgoing interfaces. Example: eno1
- iptables
- ip address show
- Create the terminal command.
- tcpdump -i <Interface> -s 0 -w <fileToWriteTo>
- -s tell how much of the packet to record. 0 captures the full packet.
- If you know what tcp port to capture, add a filter at the end to help limit the size of the capture:
- tcpdump -i <Interface> -s 0 -w <fileToWriteTo> port 80
- If unsure, leave off the filter.
- Cont c will stop the capture.
Capture over time
For more advanced issues, you may need to capture traffic over time. Here are some useful options:
- Limit traffic with -s 96. This will truncate the data portion of the traffic. This allows capture of the negotiation and establishments of tcp streams.
- Limit traffic to a single host. This can be useful when running on a server or Data Center Node not a user endpoint.
- tcpdump -i <Interface> host <IP address>
- Limit absolute file size with -C. This can prevent a system from running out of hard drive space. Please see man tcpdump for the default size value. Must be used with -w.
- tcpdump -i <Interface> -C 500 -w <fileToWriteTo>
- It may be necessary to capture traffic over an extended period of time. To do this we need to break the packet capture into smaller files that can be moved or deleted if needed. Here are the options to do this if supported by your install of tcpdump:
- -G When specified specified with the -w option rotate the dump file every X seconds.
- -W Number of files to record to.
- Use date and time variables in -w option. This will record the time when packet was changed over.
- -w Data-%Y-%m-%d_%H.%M.%S.pcap
Full example of advanced options. This command will gather web traffic to host 192.168.0.100 for six hours. It will create 6 files with mostly network protocol data:
sudo tcpdump -i eno1 -G 3600 -W 6 -w Data-%Y-%m-%d_%H.%M.%S.pcap -s 96 'host 192.168.0.100 and ( port 80 or port 443 )'
HTTPS
Sometimes it is necessary to gather HTTPS traffic and decrypt it. If this is necessary, here is how to gather the data.
Decrypt with Fiddler
Fiddler has a functionality to capture traffic using its decrypt HTTPS functionality. Make sure you enable this before you start capturing.
Decrypt with SSLKEYLOGFILE
Wireshark has the ability to use SSLKEYLOGFILE to decrypt https traffic. This file is a feature provided by the web browser. When a Web Browser is configured to create and use this file all of the encryption keys created for that session are logged. This allows Wireshark to decrypt the traffic. If you supply SSLKEYLOGFILE and a pcap file that were taken at the same time, wireshark will show you all of the web traffic.
This is a feature of Web Browsers. Please test to ensure your browser still supports this feature. These examples are provided as an example of how to do this for the common browsers.
Do not use this feature on computers with sensitive data. Do not access sensitive data with this feature enabled. Do not upload SSLKEYLOGFILE or pcap files with sensitive data unless you are sure it will help with your issue.
Please confirm this feature is off after capturing the necessary data. To confirm delete the log file, fully quit all browsers, and launch a browser and make sure the file is not recreated.
Chrome and Firefox on Unix
- Open terminal session.
- Make sure all Web browsers are closed.
- Set SSLKEYLOGFILE variable.
- export SSLKEYLOGFILE=$HOME/sslkeylog.log
- Start capturing network traffic.
- Launch browser from terminal session.
- On Mac OS X use open: open /Applications/Firefox.app/
- On Linux: /usr/bin/chromium-browser
- Gather data.
- Close browser and terminal session.
Chrome and Firefox on Windows
- Set SSLKEYLOGFILE as an environment variable.
- Launch sysdm.cpl from Windows Run prompt.
- Open the Advanced tab and click on the Environment Variables button in the System Properties window.
- Add SSLKEYLOGFILE to the user-specific Variables.
- The value should be the path and name to the log file
- Start capturing network traffic.
- Launch Chrome or Firefox.
- Gather data.
- Stop fully Chrome or Firefox
- Remove SSLKEYLOGFILE environment variable.
Reading the traffic is beyond the scope of this article. Please use this article if you would like to see the decrypted traffic.