Port-mirror to the suspected device or link that forwards traffic from several devices, and start the capture. HTTPS works with TCP port 443, and this is what you should watch, unless you have a custom application that uses different ports, as discussed in the Configuring HTTP preferences recipe.