🕵 Packet Intercept Viewer
// WHAT AN ATTACKER RUNNING WIRESHARK OR TCPDUMP WOULD ACTUALLY SEE
## tcpdump -A -i eth0 'tcp port 8080'
## captured packet 0x0042
POST /index.php HTTP/1.1
Host: 192.168.1.100:8080
User-Agent: Mozilla/5.0 (Windows)
Content-Type: application/x-www-form-urlencoded
Content-Length: 43Connection: keep-alive
⚠ BODY (fully readable):
username=student%40example.com&password=MyPassword123
---
ATTACKER CAN READ:
username → student@example.com
password → MyPassword123
No decryption needed.
🔓 HTTP — Everything Exposed
Every header, cookie, and form field is human-readable text on the wire. Any device between you and the server can capture and log it.
## tcpdump -A -i eth0 'tcp port 443'
## captured packet 0x0043
TLSv1.3 Record Layer:
Content Type: Application Data (23)
Version: TLS 1.2 (compat)
Length: 287
Encrypted Application Data:
17 03 03 01 1f a4 d2 3e 8c f7 b1 05 4a 9e 22 c0
b3 17 6d e8 f9 2a 4c 71 38 55 90 1b c4 77 0d 83
2f 19 aa 5c 31 e7 64 08 b9 f0 3d 7c 52 8e a6 11
96 2b d4 60 fc 4e 89 13 07 5f a8 c1 3a 72 de b5
e2 84 0c 59 2d 97 46 f1 68 30 b4 7a 11 c8 94 5e
… (287 bytes of ciphertext) …
// Attacker sees ONLY this.
// The actual POST body, headers, and
// credentials are completely hidden.
✔ CANNOT BE DECODED without server private key
🔒 HTTPS — Content Protected
TLS 1.3 encrypts everything after the initial handshake. Attackers see gibberish bytes. The server's private key is required to decrypt — and it never leaves the server.🔍 What a MITM Attacker's Workflow Looks Like
- Position themselves on the same network segment (rogue hotspot, ARP spoofing, compromised router).
- Run a packet capture tool (Wireshark, tcpdump, mitmproxy) listening on the network interface.
- Wait for a victim to submit an HTTP form. The full POST body arrives in plaintext — no cracking required.
- Extract credentials, session cookies, or credit card numbers directly from the capture log.
- Optionally modify the response in transit to inject malicious JavaScript before the page reaches the victim.