Wireshark Tutorial 1
-
Upload
tyson-loveless -
Category
Documents
-
view
228 -
download
0
Transcript of Wireshark Tutorial 1
-
8/13/2019 Wireshark Tutorial 1
1/10
Wireshark Tutorial: Tracing HTTP with Wireshark
1. Preparing the Browser
Most web browsers are configured to display a home page when the browser is first
started. This home page will have an undesirable effect when attempting to analyze packetssent by the web browser. The homepage will cause a flurry of network packets to be sentwhen the web browser is first opened. This amounts to extra data being captured that has
nothing to do with the web site being analyzed. To avoid this, set the web browsers home
page to blank. This can easily be done using the browser preferences menu in Firefox,
which is shown in Figure 1
Figure 1: Internet Explorer Preferences
As seen in Figure 1, Internet Explorer can be configured to use a blank homepage by
clicking the Use Blank Page button.
-
8/13/2019 Wireshark Tutorial 1
2/10
To set the home page to blank in Internet Explorer use the Internet Options menu. This
option is located under the tools menu.
Now that the browser is set up, WireShark can be started. When WireShark is started, it
will appear similar to Figure 2
Figure 2: WireShark
Now that WireShark has been started, it is time to use it to monitor HTTP traffic. This
will be covered in the next sections.
2. Select an Interface
Before packets can be captured with WireShark, WireShark must be told what interfacethe packets should be captured from. This will most likely be the Ethernet card. However, if
a dial-up modem connection is being used, then it should be specified that as the interface.
Select the Interfaces... option of the Capture menu. WireShark will now appear as theimage in Figure 3.
-
8/13/2019 Wireshark Tutorial 1
3/10
Figure 3: Select an Interface
Once the correct interface is found, notice its Capture button next to the interface. As
mentioned previously, the browsers home page should be set to blank and the browserscache cleared. Once these steps have been preformed the Capture button can be pressed.
This will begin the process of capturing packets.
3. Capturing Packets
Once the Capture button has been pressed, packet capture will begin. Capturing packets
is the main task usually performed by a network analyzer. The term capture may be a bit
misleading. The packets are left as is and are not taken out of the network stream. Rather
the packets are spied upon.
These packets will contain the HTTP requests and responses being transferred between
the web browser and the desired web server. While capturing packets, WireShark will
appear as the image in Figure 4.
-
8/13/2019 Wireshark Tutorial 1
4/10
Figure 4: Capturing Packets
Now that packets are being captured the browser should be started. Proceed to the
following URL: http://www.ietf.org
Once the web page has completely displayed, close the web browser. Now select
WireShark. WireShark will now appear as the image in Figure 5.
-
8/13/2019 Wireshark Tutorial 1
5/10
Figure 5: Captured Packets
As can be seen from Figure 5, there are quite a few packets! a filter.
4. Filtering PacketsLook at Figure 5. Notice the Protocol column. This column contains a few packets of
the type HTTP. These are the packets that are of interest. We will filter out all other packets.
To create a filter, click on the Expression? button. This will display the image in Figure 6.
-
8/13/2019 Wireshark Tutorial 1
6/10
Figure 6: Filter Options
From this window choose HTTP (highlight it) from the Field Name list, and ispresent from the Relation list. Once these two are chosen, click OK. This will return
you to the packet list screen, seen in Figure 5.
At this point all of the packets are still visible. This is because no filtering has yet taken
place. To use the filter, click the Apply button near the Expression button that wasclicked to create the filter. Once the filter is applied, there will be considerably fewer
packets. Figure 7 shows the filtered packet list. Only HTTP packets will be left.
You can also filter by typing HTTP in the Filter field and clicking the Apply button.
-
8/13/2019 Wireshark Tutorial 1
7/10
Figure 7: Filtered to Only HTTP Packets
5. Examining a HTTP Request
We will now examine an HTTP request in greater detail. Click on the first row, as seen inFigure 7. The middle pane should be resized to be larger so that the HTTP headers can be
seen. This will result in Figure 8 appearing.
-
8/13/2019 Wireshark Tutorial 1
8/10
Figure 8: The Parts of an HTTP Request Packet
As can seen in Figure 8 the packet is broken into the following sections:
Frame 433 Ethernet II Internet Protocol (IP) Transmission Control Protocol (TCP) Hypertext Transfer Protocol (HTTP)
Of these, the only one that is important is the HTTP part of the packet. Clicking the plus
(+) next to this section will expand it. After expanding, the HTTP part of the packet is seen
as in Figure 9.
-
8/13/2019 Wireshark Tutorial 1
9/10
Figure 9: An HTTP Request
The HTTP headers for this GETrequest can be seen in Figure 9.
6. Examining an HTTP Response.
HTTP responses can also be examined using WireShark. Figure 10 shows one of the
response packets from above.
-
8/13/2019 Wireshark Tutorial 1
10/10
Figure 10: An HTTP Response
As seen in Figure 10 there are a different set of headers that come back from the server.