The document discusses Wireshark, a free and open-source packet analyzer tool. It provides instructions on downloading, installing, and using Wireshark. It also walks through several examples of using Wireshark to analyze HTTP traffic for a web browser, including making HTTP requests, viewing responses, and inspecting packet details. It examines how browsers handle GET requests, embedded objects, file downloads, conditional requests, and HTTP authentication. A series of questions is provided related to the packet details visible in Wireshark for each example.
The document discusses Wireshark, a free and open-source packet analyzer tool. It provides instructions on downloading, installing, and using Wireshark. It also walks through several examples of using Wireshark to analyze HTTP traffic for a web browser, including making HTTP requests, viewing responses, and inspecting packet details. It examines how browsers handle GET requests, embedded objects, file downloads, conditional requests, and HTTP authentication. A series of questions is provided related to the packet details visible in Wireshark for each example.
The document discusses Wireshark, a free and open-source packet analyzer tool. It provides instructions on downloading, installing, and using Wireshark. It also walks through several examples of using Wireshark to analyze HTTP traffic for a web browser, including making HTTP requests, viewing responses, and inspecting packet details. It examines how browsers handle GET requests, embedded objects, file downloads, conditional requests, and HTTP authentication. A series of questions is provided related to the packet details visible in Wireshark for each example.
The document discusses Wireshark, a free and open-source packet analyzer tool. It provides instructions on downloading, installing, and using Wireshark. It also walks through several examples of using Wireshark to analyze HTTP traffic for a web browser, including making HTTP requests, viewing responses, and inspecting packet details. It examines how browsers handle GET requests, embedded objects, file downloads, conditional requests, and HTTP authentication. A series of questions is provided related to the packet details visible in Wireshark for each example.
Submitted to - Er. Sudhakar Submitted by - Darshan Sharma
Roll No - CO14321 Year - 3rd What is Wireshark ?
Wireshark is a free and open source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development. Wireshark lets the user put network interface controllers that support promiscuous mode into that mode, so they can see all traffic visible on that interface, not just traffic addressed to one of the interface's configured addresses and broadcast/multicast traffic.
Installing and using Wireshark
To download wireshark go to https://www.wireshark.org and download wireshark
software from there. After downloading run wireshark by typing wireshark (sudo privileges may required) in your terminal.
HTTP GET/response in Wireshark
The following steps are to get a better picture of how http protocol actually works -
1. Start up your web browser.
2. Start up the Wireshark packet sniffer. Enter “http” (just the letters, not the quotation marks) in the display-filter-specification window, so that only captured HTTP messages will be displayed later in the packet-listing window.
3. Wait a bit more than one minute and then begin Wireshark packet capture.
4. Enter http://gaia.cs.umass.edu/wireshark-labs/HTTP-wireshark-file1.html to your
browser URL and press ENTER.
5. Stop Wireshark packet capture.
QUESTIONS RELATED TO THE INFORMATION DISPLAYED IN THE PACKET-HEADER DETAILS WINDOW
Q1 - Is your browser running HTTP version 1.0 or 1.1? What version of HTTP on the server running? Answer: Version → 1.1 Server version → 1.1
Q2 - What languages (if any) does your browser indicate that it can accept to the server? Answer: Accept-Language → en-US,en;q=0.5\r\n
Q3- What is the IP address of your computer? Of the gaia.cs.umass.edu server?
Q4 - What is the status code returned from the server to your browser?
Answer: HTTP/1.1 304 Not Modified\r\n
Q5 - When was the HTML file that you are retrieving last modified at the server?
Answer: If-Modified-Since: Wed, 22 Feb 2017 06:59:02 GMT\r\n
Q6 - How many bytes of content are being returned to your browser?
Answer: No content length is mentioned.
Q7 - By inspecting the raw data in the packet content window, do you see any headers within the data that are not displayed in the packet-listing window? If so, name one.
Answer: No, I don’t see any.
Verification of IP - HTTP CONDITIONAL GET/response
Before performing the steps below, make sure your browser’s cache is empty. Now do the following: 1. Start up your web browser, and make sure your browser’s cache is cleared. 2. Start up the Wireshark packet sniffer 3. Enter the following URL into your browser http://gaia.cs.umass.edu/wireshark-labs/HTTP-wireshark-file2.html Your browser should display a very simple five-line HTML file. 4. Quickly enter the same URL into your browser again (or simply select the refresh button on your browser) 5. Stop Wireshark packet capture, and enter “http” in the display-filter-specification window, so that only captured HTTP messages will be displayed later in the packet-listing window. QUESTIONS RELATED TO THE INFORMATION DISPLAYED IN THE PACKET-HEADER DETAILS WINDOW
Q8 - Inspect the contents of the first HTTP GET request from your browser to the server. Do you see an “IF-MODIFIED-SINCE” line in the HTTP GET?
ANSWER: No, I don’t see any “IF-MODIFIED-SINCE” line in the first HTTP GET request.
Q9 - Inspect the contents of the server response. Did the server explicitly return the contents of the file? How can you tell?
ANSWER: ETag: "173-54904ea3792e7"\r\n
Accept-Ranges: bytes\r\n Content-Length: 371\r\n Keep-Alive: timeout=5, max=100\r\n Connection: Keep-Alive\r\n Content-Type: text/html; charset=UTF-8\r\n \r\n Yes, the server did return the contents of the file. As the above statements are purely about file contents.
Q10 - Now inspect the contents of the second HTTP GET request from your browser to the server. Do you see an “IF-MODIFIED-SINCE:” line in the HTTP GET? If so, what information follows the “IF-MODIFIED-SINCE:” header?
ANSWER: Yes, I can see an “IF-MODIFIED-SINCE:” line in the HTTP GET.
If-Modified-Since: Tue, 21 Feb 2017 06:59:01 GMT\r\n Here is mentioned the last modified time i.e. of previous request.
Q11 - What is the HTTP status code and phrase returned from the server in response to this second HTTP GET? Did the server explicitly return the contents of the file? Explain.
ANSWER: The file has not been modified. Hence no text is returned in the message. HTTP/1.1 304 Not Modified\r\n ETag: "173-54904ea3792e7"\r\n \r\n Retrieving Long Documents
Let’s next see what happens when we download a long HTML file.
1. Start up your web browser, and make sure your browser’s cache is cleared, as discussed above. 2. Start up the Wireshark packet sniffer 3. Enter the following URL into your browser http://gaia.cs.umass.edu/wireshark-labs/HTTP-wireshark-file3.html Your browser should display the rather lengthy US Bill of Rights.
Stop Wireshark packet capture, and enter “http” in the display-filter-specification
window, so that only captured HTTP messages will be displayed.
In the packet-listing window, HTTP GET message is followed by a multiple-packet
TCP response to your HTTP GET request. In this case, the HTML file is rather long, and at 4500 bytes is too large to fit in one TCP packet. The single HTTP response message is thus broken into several pieces by TCP, with each piece being contained within a separate TCP segment. In recent versions of Wireshark, Wireshark indicates each TCP segment as a separate packet, and the fact that the single HTTP response was fragmented across multiple TCP packets is indicated by the “TCP segment of a reassembled PDU” in the Info column of the Wireshark display. QUESTIONS RELATED TO THE INFORMATION DISPLAYED IN THE PACKET-HEADER DETAILS WINDOW
Q12 - How many HTTP GET request messages did your browser send? Which packet number in the trace contains the GET message for the Bill or Rights?
Answer: One request is sent by my browser. It’s the packet number 4.
Q13 - Which packet number in the trace contains the status code and phrase associated with the response to the HTTP GET request?
Answer: It’s the packet number 12.
Q14 - What is the status code and phrase in the response?
Answer: HTTP/1.1 200 OK\r\n
Q15 - How many data-containing TCP segments were needed to carry the single HTTP response and the text of the Bill of Rights?
Answer: Three packets which are 6, 8 and 10.
HTML Documents with Embedded Objects
What happens when your browser downloads a file with embedded objects? 1. Start up your web browser, and make sure your browser’s cache is cleared, as discussed above. 2. Start up the Wireshark packet sniffer. 3. Enter the following URL into your browser http://gaia.cs.umass.edu/wireshark-labs/HTTP-wireshark-file4.html Your browser should display a short HTML file with two images. These two images are referenced in the base HTML file. That is, the images themselves are not contained in the HTML; instead the URLs for the images are contained in the downloaded HTML file. 4. Stop Wireshark packet capture, and enter “http” in the display-filter-specification window, so that only captured HTTP messages will be displayed. QUESTIONS RELATED TO THE INFORMATION DISPLAYED IN THE PACKET-HEADER DETAILS WINDOW
Q16 - How many HTTP GET request messages did your browser send? To which Internet addresses were these GET requests sent?
Answer:There were 3 HTTP GET’s messages sent.
These were the IPs to which these packets were sent - 1. Internet Protocol Version 4, Src: 192.168.1.9, Dst: 128.119.245.12 2. Internet Protocol Version 4, Src: 192.168.1.9, Dst: 128.119.245.12 3. Internet Protocol Version 4, Src: 192.168.1.9, Dst: 128.119.240.90
Q17 - Can you tell whether your browser downloaded the two images serially, or whether they were downloaded from the two web sites in parallel? Explain.
Answer: The downloads has occurred in serial.
REQUEST PACKET RESPONSE PACKET First image : 8 14 Second image: 19 186 HTTP Authentication
Using password protected sites, HTTP authentication can be understood:
1. Make sure your browser’s cache is cleared, as discussed above, and close down your browser. Then, startup your browser 2. Start up the Wireshark packet sniffer. . 3. Enter the following URL into your browser http://gaia.cs.umass.edu/wireshark-labs/protected_pages/HTTP-wiresharkfile5 .html Type the requested user name and password into the pop up box. 4. Stop Wireshark packet capture, and enter “http” in the display-filter-specification window, so that only captured HTTP messages will be displayed later in the packet-listing window.
The username ( wireshark-students) and password (network) that you entered are encoded in the string of characters (Authorization: Basic d2lyZXNoYXJrLXN0dWRlbnRzOm5ldHdvcms=\r\n) in the client’s HTTP GET message QUESTIONS RELATED TO THE INFORMATION DISPLAYED IN THE PACKET-HEADER DETAILS WINDOW
Q18 - What is the server’s response (status code and phrase) in response to the initial HTTP GET message from your browser?
