ADDING HTTPS SERVER NAMES TO THE COLUMN DISPLAY IN WIRESHARK
NOTE: I have an updated version of this information posted on the Palo Alto Networks blog at:
Before doing this, you should've already set up your Wirshark column display as shown shown here. At the very least, you should be familiar with adding columns to Wireshark, which I covered in that blog post. This is how I display a column for ssl.handshake.extensions_server_name, which is helpful for showing servers using HTTPS from a pcap in your Wireshark display.
It's relatively simple.
- Step 1) Follow a TCP stream for HTTPS traffic over port 443 from the pcap.
- Step 2) Go to Extension: server_name --> Server Name Indication extension --> Server Name: [whatever the server name is]
- Step 3) Right click on that field, and select "Apply as Column" from the pop-up menu.
I've illustrated this in the image below:
You can hide or display (or completely remove) colums from the Wireshark display by right-clicking on the bar with the column headers as shown below.
Use ssl.handshake.extensions_server_name in the filter if you want to see server names for the HTTPS traffic. This works for normal HTTPS traffic, such as the type you might find while web browsing.
Setting up this column in Wireshark is useful when looking at HTTPS traffic and filtering on ssl.handshake.extensions_server_name.
Click here to return to the main page.