HTTP sends everything in cleartext — login forms, cookies, API keys. Anyone on the same network can read them.
# Step 1: Open Wireshark, select your network interface # Step 2: Apply filter to show only HTTP POST requests (login attempts): http.request.method == "POST" # Step 3: Look for packets to /login or /auth endpoints # Step 4: Click packet → Follow → HTTP Stream # Step 5: Find the form data at the bottom: # username=ram&password=pracivo # Step 6: Filter by specific credentials: http contains "password" # Real attack scenario: # If you are on the same WiFi as the victim (coffee shop, hotel), # you can capture all their HTTP traffic with Wireshark or tcpdump.
Try this on the http_login_capture.pcap file — filter for POST requests and follow the stream.