Wireshark Tutorial 1

8/13/2019 Wireshark Tutorial 1

1/10

Wireshark Tutorial: Tracing HTTP with Wireshark

1. Preparing the Browser

Most web browsers are configured to display a home page when the browser is first

started. This home page will have an undesirable effect when attempting to analyze packetssent by the web browser. The homepage will cause a flurry of network packets to be sentwhen the web browser is first opened. This amounts to extra data being captured that has

nothing to do with the web site being analyzed. To avoid this, set the web browsers home

page to blank. This can easily be done using the browser preferences menu in Firefox,

which is shown in Figure 1

Figure 1: Internet Explorer Preferences

As seen in Figure 1, Internet Explorer can be configured to use a blank homepage by

clicking the Use Blank Page button.


2/10

To set the home page to blank in Internet Explorer use the Internet Options menu. This

option is located under the tools menu.

Now that the browser is set up, WireShark can be started. When WireShark is started, it

will appear similar to Figure 2

Figure 2: WireShark

Now that WireShark has been started, it is time to use it to monitor HTTP traffic. This

will be covered in the next sections.

2. Select an Interface

Before packets can be captured with WireShark, WireShark must be told what interfacethe packets should be captured from. This will most likely be the Ethernet card. However, if

a dial-up modem connection is being used, then it should be specified that as the interface.

Select the Interfaces... option of the Capture menu. WireShark will now appear as theimage in Figure 3.


3/10

Figure 3: Select an Interface

Once the correct interface is found, notice its Capture button next to the interface. As

mentioned previously, the browsers home page should be set to blank and the browserscache cleared. Once these steps have been preformed the Capture button can be pressed.

This will begin the process of capturing packets.

3. Capturing Packets

Once the Capture button has been pressed, packet capture will begin. Capturing packets

is the main task usually performed by a network analyzer. The term capture may be a bit

misleading. The packets are left as is and are not taken out of the network stream. Rather

the packets are spied upon.

These packets will contain the HTTP requests and responses being transferred between

the web browser and the desired web server. While capturing packets, WireShark will

appear as the image in Figure 4.


4/10

Figure 4: Capturing Packets

Now that packets are being captured the browser should be started. Proceed to the

following URL: http://www.ietf.org

Once the web page has completely displayed, close the web browser. Now select

WireShark. WireShark will now appear as the image in Figure 5.


5/10

Figure 5: Captured Packets

As can be seen from Figure 5, there are quite a few packets! a filter.

4. Filtering PacketsLook at Figure 5. Notice the Protocol column. This column contains a few packets of

the type HTTP. These are the packets that are of interest. We will filter out all other packets.

To create a filter, click on the Expression? button. This will display the image in Figure 6.


6/10

Figure 6: Filter Options

From this window choose HTTP (highlight it) from the Field Name list, and ispresent from the Relation list. Once these two are chosen, click OK. This will return

you to the packet list screen, seen in Figure 5.

At this point all of the packets are still visible. This is because no filtering has yet taken

place. To use the filter, click the Apply button near the Expression button that wasclicked to create the filter. Once the filter is applied, there will be considerably fewer

packets. Figure 7 shows the filtered packet list. Only HTTP packets will be left.

You can also filter by typing HTTP in the Filter field and clicking the Apply button.


7/10

Figure 7: Filtered to Only HTTP Packets

5. Examining a HTTP Request

We will now examine an HTTP request in greater detail. Click on the first row, as seen inFigure 7. The middle pane should be resized to be larger so that the HTTP headers can be

seen. This will result in Figure 8 appearing.


8/10

Figure 8: The Parts of an HTTP Request Packet

As can seen in Figure 8 the packet is broken into the following sections:

Frame 433 Ethernet II Internet Protocol (IP) Transmission Control Protocol (TCP) Hypertext Transfer Protocol (HTTP)

Of these, the only one that is important is the HTTP part of the packet. Clicking the plus

(+) next to this section will expand it. After expanding, the HTTP part of the packet is seen

as in Figure 9.


9/10

Figure 9: An HTTP Request

The HTTP headers for this GETrequest can be seen in Figure 9.

6. Examining an HTTP Response.

HTTP responses can also be examined using WireShark. Figure 10 shows one of the

response packets from above.


10/10

Figure 10: An HTTP Response

As seen in Figure 10 there are a different set of headers that come back from the server.

Wireshark Tutorial 1

Documents

Transcript of Wireshark Tutorial 1