Learning the HTTP Protocol using Wireshark
Introduction
In our introductory lesson on using Wireshark, we discussed how to download wireshark, start it and look for abnormal data flow using the "Follow Stream" tool within Wireshark. Now we will talk about the HTTP protocol and give a demonstration on what that protocol looks like. Now that we know what tool to use to see the protocol, we are going to analyze the protocol itself. When you are able to know the protocol that's when you are easily able to spot incorrect data flow.
The Layering Aspect
Whenever we run TCP/IP traces there are a number of "layers" we have to consider. These layers are architected to operate that way they do and must follow certain rules. In this article we will start with the rules of TCP/IP before we jump into the HTTP specific protocol. Keep in mind whether it be HTTP or any other protocol, there is always the layering aspect. Look at it as one layer encapsulating another layer because when a Wireshark trace is reviewed, this is exactly what will be seen.
Prerequisite Needs
For the reader, the Wireshark tool must be installed. It is important for the reader to experiment with this tool. Also, before any protocol is considered to be in-session, three things must occur, this is known as the three way handshake. When analyzing Wireshark traces, always look for this for the three way handshake when trying to determine the start of the session for that protocol. NOTE: It the Wireshark trace is started after the session start, then the three way handshake will not show up in the trace. Finally there are two other TCP/IP layer events that happen to end the session known as FIN or RST. Everything in the trace seen between the connection open and end, is the protocol. This is the way the TCP/IP Layer encapsulates different protocols. Finally it is assumed the prior article was reviewed and understood.
Run a Trace To Bing
Start up WireShark and then navigate to Bing. Find the session and 'follow the stream'. You should see the three way handshake in the trace as follows:
** **