Before officially sharing, let’s briefly review the TCP three-way handshake and four-way termination, along with the HTTP request methods.
The operation of HTTP is actually quite simple. First, the client initiates a request to the server, which then responds. Depending on the scenario, the client may use different methods such as GET, POST, PUT, and HEAD in its requests.
Next, we will use packets captured by Wireshark to explore how HTTP works.
As shown in the image above, the protocol packets captured were during the access from 10.1.1.101 to http://10.1.1.1:80/.
Since the HTTP protocol is implemented on top of TCP, a complete HTTP request and response mainly go through three stages: the three-way handshake, data transfer (request & response), and four-way termination. We dissect it layer by layer.
Because the HTTP protocol is based on TCP, there is an initial three-way handshake. It can be seen that the client address is 10.1.1.101 with the port 3177, and the server address is 10.1.1.1 with port 80. Once the connection is established via the handshake, requests can be sent to the server.
In packet 4 shown in the above screenshot, the client sends a “GET / HTTP/1.1” request to the server, meaning it is sending a request via HTTP protocol version 1.1. The contents of the protocol packet are as follows.
Through the captured packets, it is clear that the request method is GET, along with some client environment information and associated request info. Pay special attention to Response in frame: 6, which indicates that the response packet for the request is packet 6. Next, we will open packet 6 to examine the response content.
Packet 6 is the server’s response to the client’s request, delivering the response page content to the client. The image above indicates that the response is an HTML page, with content clearly visible.
As illustrated above, the four termination packets of the disconnection handshake, numbered 7, 8, 9, and 11, can be seen. The Info column shows the flag bits for these packets as FIN, ACK, ACK, FIN, ACK, and ACK, respectively. Below, we will analyze the TCP four-way termination packets one by one.
Source port 80 sends a FIN datagram to destination port 3177, with a sequence number of 436 and acknowledgment number of 477. The Flags branch shows that this packet’s flags are FIN, ACK. Among them, the ACK and FIN flag bits are set to 1, while others are set to 0.
As shown above, from the TCP protocol layer, the source port is 3177, the destination port is 80, the sequence number is 477, and the acknowledgment number is 437. From the Flags branch, it can be seen that the current packet’s flags are ACK, with the ACK flag being set to 1, while other flags are set to 0.
As illustrated, from the IP protocol layer, the source address is 10.1.1.101 and the destination IP address is 10.1.1.1. From the TCP protocol layer, the source port is 3177, destination port is 80, sequence number is 477, and acknowledgment number is 437. The Flags branch shows that this packet’s flags are FIN, ACK, with both ACK and FIN flags set to 1, while other flags are set to 0.
As shown in the diagram above, the source port is 80, the destination port is 3177, the sequence number is 437, and the acknowledgment number is 478. From the Flags branch, it can be seen that this packet’s flag is ACK, with the ACK flag set to 1, and other flags set to 0.
With Wireshark’s “Display Packet Bytes” feature, the HTTP response content is easily visible.
The above screenshot shows the packet data for downloading images analyzed via Wireshark. With the “Display Packet Bytes” feature in Wireshark, the image content can be easily viewed.
With Wireshark’s “Display Packet Bytes” feature, it’s easy to see the HTML content the server responds with to the client.
For those interested, learning from books can only take you so far; I hope you personally experience it with Wireshark.
This Wireshark sharing ends here. To ensure no errors in the sharing, numerous documents, books, and official materials were consulted and compiled for you. I hope it can be of help.
There will be continuous exciting shares, stay tuned!