Wireshark is a free and open-source packet analyzer that you can use network troubleshooting, and traffic analysis. It's a powerful tool, vital for anyone in Network Administration, Security, or Forensics...
Introduction
In this introductory post to Wireshark, I’m going to walk you through some of the basic things that Wireshark can show us about HTTP.
If you do not have Wireshark installed, you can download it from here. The capture file that I’m using can also be downloaded here (simply look for http.cap).
In this introductory post to Wireshark, I’m going to walk you through some of the basic things that Wireshark can show us about HTTP.
If you do not have Wireshark installed, you can download it from here. The capture file that I’m using can also be downloaded here (simply look for http.cap).
The Interface
I'm assuming that you already have some experience with Wireshark, so I'm not going to spend much time on setup. Once you’ve installed Wireshark, and its dependencies, and downloaded the http.capture file, go ahead and open the capture. You should see a screen similar to the following:
I'm assuming that you already have some experience with Wireshark, so I'm not going to spend much time on setup. Once you’ve installed Wireshark, and its dependencies, and downloaded the http.capture file, go ahead and open the capture. You should see a screen similar to the following:
Just in case you're not already familiar with Wireshark, or if you'd like a quick review, I'll go through the various GUI elements real quick. Note the different sections in the screen shot above:
That’s a quick and dirty primer, but let’s move on to gathering information from the actual HTTP packets…
- Commands and Menus – These are the standard menus that you find in most applications. To open a saved capture file (either that you’ve saved from your own system, or – like the http.cap – one that you’ve gotten elsewhere)
- Packet Display Filter – Using this field, you can narrow down what packest are displayed by various parameters, such as protocol, source, destination, etc.
- Packet Listing Window – Displays summary information for each packet, including the packet number, time stamp, source, destination, protocol, length, and data information
- Packet Header Details – This provides detailed information about the selected packet, including Ethernet frame, IP datagram, and additional details of the protocol.
- Packet Contents Window – Displays the content of the frame in hexadecimal and ASCII format.
That’s a quick and dirty primer, but let’s move on to gathering information from the actual HTTP packets…
Analyzing HTTP
The information that we’re going to look for in understanding the basic HTTP GET and Response process is as follows:
See what version of HTTP the Client is running:
The information that we’re going to look for in understanding the basic HTTP GET and Response process is as follows:
- The version of HTTP that the Client is running
- The version of HTTP that the Server is running
- The IP Addresses of both the Client and the Server
- The number of bytes being returned by the Server
- The actual HTML document being returned by the Server
See what version of HTTP the Client is running:
- Click on the first HTTP packet (No. 4) in the Packet Listing Window. In the Info column, you can identify this packet as an HTTP GET request based on the “GET…HTTP…” data
- In the Packet Header Details window, expand ‘Hypertext Transfer Protocol’
- Expand ‘Get /download.html HTTP/1.1\r\n’
- The client’s HTTP version is contained in Request Version: HTTP/1.1 (as well as the ‘Get /download…’ heading, and in the Info column of the Packet Listing Window).
See what version of HTTP the Server is running:
This is extremely similar…
This is extremely similar…
- Click on the next HTTP packet (No. 27) in the Packet Listing Window. Although the Info column doesn’t explicitly state that this is a Return packet, we can still identify it as such by the code of 200 OK that is returned from the server to the client
- In the Packet Header Details window, expand ‘Hypertext Transfer Protocol’
- Expand ‘HTTP/1.1 200 OK\r\n’
- The server’s HTTP version is contained in Request Version: HTTP/1.1 (again - as well as the ‘HTTP/1.1 200 OK\r\n’ heading, and in the Info column of the Packet Listing Window.)
Although we could have easily identified the HTTP version by the data displayed in the Info column, I think that there’s value in knowing where to find this information within the actual packet.
Identify the Client and Server IP Addresses
If you still have packet No 27, you can see, in the Packet Listing window, the Source (the server), and Destination (client) IP addresses:
Identify the Client and Server IP Addresses
If you still have packet No 27, you can see, in the Packet Listing window, the Source (the server), and Destination (client) IP addresses:
Identify How Many Bytes of Data is Being Returned
With packet No 27 selected, you can see in the Packet Header Details, within the Frame heading, the information we’re looking for:
With packet No 27 selected, you can see in the Packet Header Details, within the Frame heading, the information we’re looking for:
Viewing the Actual HTML File Being Returned by the Server
- With packet No. 27 still selected, look at the Packet Header Details area
- Expand Line-based text data: text/html
- Although it has likely been truncated, this will display the actual HTML file being returned.
- To see the file in whole, you can inspect the Packet Contents Window as shown below:
Conclusion
Although this has been a fairly simple demonstration, it should show the powerful potential that Wireshark has for in-depth analysis. I use Wireshark frequently in troubleshooting, and also in teaching about various network protocols. My goal is to have quite a number of these posts - each focusing on a different protocol.
If you've found this information useful, please let me know in the comments below!
Although this has been a fairly simple demonstration, it should show the powerful potential that Wireshark has for in-depth analysis. I use Wireshark frequently in troubleshooting, and also in teaching about various network protocols. My goal is to have quite a number of these posts - each focusing on a different protocol.
If you've found this information useful, please let me know in the comments below!