Wireshark/HTTP
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze HTTP (Hypertext Transfer Protocol) traffic.
Preparation
editTo prepare for this activity:
- Start Windows.
- Log in if necessary.
- Install Wireshark.
Activity 1 - Capture HTTP Traffic
editTo capture HTTP traffic:
- Open a new web browser window or tab.
- Search the Internet for an http (rather than https) website.
- Start a Wireshark capture.
- Navigate to the website found in your search.
- Stop the Wireshark capture.
Activity 2 - Select Destination Traffic
editTo select destination traffic:
- Observe the traffic captured in the top Wireshark packet list pane. To view only HTTP traffic, type http (lower case) in the Filter box and press Enter.
- Select the first HTTP packet labeled GET /.
- Observe the destination IP address.
- To view all related traffic for this connection, change the filter to ip.addr == <destination>, where <destination> is the destination address of the HTTP packet.
Activity 3 - Analyze TCP Connection Traffic
editTo analyze TCP connection traffic:
- Observe the traffic captured in the top Wireshark packet list pane. The first three packets (TCP SYN, TCP SYN/ACK, TCP ACK) are the TCP three way handshake. Select the first packet.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol frame.
- Expand Ethernet II to view Ethernet details.
- Observe the Destination and Source fields. The destination should be your default gateway's MAC address and the source should be your MAC address. You can use ipconfig /all and arp -a to confirm.
- Expand Internet Protocol Version 4 to view IP details.
- Observe the Source address. Notice that the source address is your IP address.
- Observe the Destination address. Notice that the destination address is the IP address of the HTTP server.
- Expand Transmission Control Protocol to view TCP details.
- Observe the Source port. Notice that it is a dynamic port selected for this HTTP connection.
- Observe the Destination port. Notice that it is http (80). Note that all of the packets for this connection will have matching MAC addresses, IP addresses, and port numbers.
Activity 4 - Analyze HTTP Request Traffic
editTo analyze HTTP request traffic:
- Observe the traffic captured in the top Wireshark packet list pane.
- Select the fourth packet, which is the first HTTP packet and labeled GET /.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol / Hypertext Transfer Protocol frame. Also notice that the Ethernet II, Internet Protocol Version 4, and Transmission Control Protocol values are consistent with the TCP connection analyzed in Activity 3.
- Expand Hypertext Transfer Protocol to view HTTP details.
- Observe the GET request, Host, Connection, User-Agent, Referrer, Accept, and Cookie fields. This is the information passed to the HTTP server with the GET request.
- Observe the traffic captured in the top Wireshark packet list pane.
- Select the fifth packet, labeled TCP ACK. This is the server TCP acknowledgement of receiving the GET request.
Activity 5 - Analyze HTTP Response Traffic
editTo analyze HTTP response traffic:
- Observe the traffic captured in the top Wireshark packet list pane.
- Select the second HTTP packet, labeled 301 Moved Permanently.
- Observe the packet details in the middle Wireshark packet details pane.
- Expand Hypertext Transfer Protocol to view HTTP details.
- Observe the HTTP response, Server, Expires, Location, and other available information. This response indicates that the requested page has permanently moved to the location provided.
- Observe the traffic captured in the top Wireshark packet list pane.
- Select the next packet, labeled TCP ACK. This is the client TCP acknowledgement of receiving the HTTP response.
Activity 6 - Analyze HTTP Request Traffic
editTo analyze HTTP request traffic:
- Observe the traffic captured in the top Wireshark packet list pane.
- Select the third HTTP packet, labeled GET /wiki/Wikiversity:Main_Page.
- Observe the packet details in the middle Wireshark packet details pane.
- Expand Hypertext Transfer Protocol to view HTTP details.
- Observe the HTTP request fields. Notice that the request is similar to the request in Activity 4 above, except that the new page location is requested.
- Observe the traffic captured in the top Wireshark packet list pane.
- Select the next packet, labeled TCP ACK. This is the server TCP acknowledgement of receiving the GET request.
Activity 7 - Analyze HTTP Response Traffic
editTo play HTTP response traffic:
- Observe the traffic captured in the top Wireshark packet list pane.
- Select the next packet, labeled TCP segment of a reassembled PDU. Notice that because the server response is longer than the maximum segment PDU size, the response has been split into several TCP segments.
- Observe the packet details in the middle Wireshark packet details pane.
- Observe the packet contents in the bottom Wireshark packet bytes pane.
- Observe the traffic captured in the top Wireshark packet list pane. Notice that for every two TCP segments of data, there is a TCP ACK acknowledgement of receiving the HTTP response.
- Select the last HTTP packet, labeled HTTP 200 OK.
- Observe the packet details in the middle Wireshark packet details pane. Notice the Reassembled TCP Segments listed.
- Expand Hypertext Transfer Protocol to view HTTP details.
- Observe the full HTTP response to be passed to the web browser.
- Expand Line-based text data to observe web page content.
- In the web browser, right-click on the web page and view the page source. Notice that it is identical to the line-based text captured in Wireshark.
- Close the web browser.
- Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.