Table of Contents for
Packet Analysis with Wireshark

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Packet Analysis with Wireshark by Anish Nath Published by Packt Publishing, 2015
  1. Cover
  2. Table of Contents
  3. Packet Analysis with Wireshark
  4. Packet Analysis with Wireshark
  5. Credits
  6. About the Author
  7. About the Reviewers
  8. www.PacktPub.com
  9. Preface
  10. What you need for this book
  11. Who this book is for
  12. Conventions
  13. Reader feedback
  14. Customer support
  15. 1. Packet Analyzers
  16. Introducing Wireshark
  17. Other packet analyzer tools
  18. Summary
  19. 2. Capturing Packets
  20. Troubleshooting
  21. Wireshark user interface
  22. Wireshark features
  23. Tcpdump and snoop
  24. References
  25. Summary
  26. 3. Analyzing the TCP Network
  27. TCP connection establishment and clearing
  28. TCP data communication
  29. TCP close sequence
  30. Lab exercise
  31. TCP troubleshooting
  32. TCP latency issues
  33. Wireshark TCP sequence analysis
  34. References
  35. Summary
  36. 4. Analyzing SSL/TLS
  37. The SSL/TLS handshake
  38. Key exchange
  39. Decrypting SSL/TLS
  40. Debugging issues
  41. Summary
  42. 5. Analyzing Application Layer Protocols
  43. BOOTP/DHCP
  44. DNS
  45. HTTP
  46. References
  47. Summary
  48. 6. WLAN Capturing
  49. Analyzing the Wi-Fi networks
  50. Wi-Fi sniffing products
  51. Summary
  52. 7. Security Analysis
  53. The DOS attack
  54. Scanning
  55. ARP duplicate IP detection
  56. DrDoS
  57. BitTorrent
  58. Wireshark protocol hierarchy
  59. Summary
  60. Index

HTTP

HTTP is an application layer protocol used in WWW. HTTP enables communications between the HTTP client and HTTP server. Example traffic is shown in the following screenshot. An HTTP GET request is created by the client (browser or cURL), and the HTTP server has responded with the appropriate content type:

HTTP

HTTP Wireshark filter

Use http to display HTTP packets only. Use TCP port 80 to filter for HTTP traffic only; port 80 is the default HTTP port.

HTTP use cases

The following example shows different use cases where Wireshark can help to analyze HTTP packets.

Finding the top HTTP response time

Open the file http_01.pcap in the Wireshark, and find the top HTTP response time for the request HTTP get:

  1. Click on Edit | Preferences | Protocols | TCP, uncheck Allow subdissector to reassemble TCP streams. This will help in knowing how many continuation packets there are to get the actual content and it will help in fine-tuning TCP parameters—for example, setting up the TCP window size to reduce the continuation packet.
  2. In the Filter bar, apply the http filter and add http.time as a column from the http.response.code == 200 HTTP OK packet.
  3. Click on the Time since request column and make it in descending order. Find the request frame and click on the link.
    Finding the top HTTP response time

Finding packets based on HTTP methods

Use Wireshark's http.request.method to display packets for analysis. For example, the following table describes how to apply this filter:

HTTP method

Meaning

Wireshark filter

GET

Get a specified resource example:

GET http://www.w3.org/pub/WWW/TheProject.html HTTP/1.1

http.request.method=="GET"

POST

Submits data to be processed to a specified resource

http.request.method=="POST"

PUT

Uploads a representation of the specified URI

http.request.method=="PUT"

DELETE

Deletes the specified resource/entity

http.request.method=="DELETE"

OPTIONS

Returns the HTTP methods that the server supports

http.request.method=="OPTIONS"

CONNECT

Converts the request connection to a transparent TCP/IP tunnel

http.request.method=="CONNECT"

Finding sensitive information in a form post

If the form contains sensitive information such as password, Wireshark can easily reveal it as HTTP is an unsecure means of transferring data over the network.

Open the HTTP_FORM_POST.pcap file and filter the traffic to display only the request method POST and locate the password form item, as shown in the following screenshot:

Finding sensitive information in a form post

Using HTTP status code

The first line of the HTTP response contains the status code. Use the Wireshark filter http.response.code, to display packets based on the status code. This will be helpful when debugging the HTTP client-server interaction:

Type

Code

Meaning

HTTP Wireshark filter

Informational – 1xx

100

Continue

http.response.code == 100

101

Switching protocol

http.response.code == 101

Successful – 2xx

From: 200

To: 206

200

OK

http.response.code == 200

201

Created

http.response.code == 201

Redirection – 3xx

From: 300

To: 307

300

Multiple choices

http.response.code == 300

301

Moved permanently

http.response.code == 301

Client Error – 4xx

From: 400

To: 417

400

Bad Request

http.response.code == 400

401

Unauthorized

http.response.code == 401

Server Error – 5xx

From—500

To-- 505

500

Internal Server Error

http.response.code == 500

501

Not implemented

http.response.code == 501