HTTP(S) exchange analysis using Wireshark

Wireshark is a tool that allows to scan network packets and make analysis of network connection without direct access to server or client. Today we will show simple method to analyse TCP connections using this tool.

TCP connection is composed of many IP packets, connected by common strem index number. You can select particular TCP stream using Analyze / Follow TCP stream option or directly select given stream by it's index:

tcp.stream eq 9

If you want track every opened connection you can check 1st packet of every TCP stream opened to particular server IP (213.75.34.114 in our example):

tcp.flags.syn==1 and tcp.flags.ack==0 and ip.dst == 213.75.34.114

Note that with HTTP/1.1 things may be more complicated as this protocol supports "Persistent/Keep Alive" mode that allows multiple requests over one connection, so you may see only one packet with "tcp.flags.syn==1 and tcp.flags.ack==0". In order to scan full exchange you have to analyse protocol contents for request / response pairs.

Another complication is HTTPS (HTTP over SSL layer) – you won't be able even to count requests (if using "Keep Alive" mode). In this scenario you have to check traffic after HTTPS node or just inspect server logs.

This entry was posted in en and tagged . Bookmark the permalink.