Wireshark 101: Hypertext Transfer Protocol

Today on HakTip, Shannon explains Hypertext Transfer Protocol and packet headers in Wireshark.

HTTP stands for Hypertext Transfer Protocol. This is another common upper layer protocol that you'll run into from time to time in Wireshark. Specifically, HTTP can be found in Layer 7 of the OSI model. HTTP allows your web browser to connect to a server and allow you to view a website. So when you go to hak5.org or youtube.com or anything in between, you're using HTTP.

Every time you view one of the packets, it's going to vary a lot depending on where on the internet you're heading. So let's take a look at a few of these HTTP packet headers so you can see some similarities.

First off you'll have a short GET request, once communication is setup between you and the websites server. The packet comes in over TCP Port 80, request method GET, Requested version HTTP/1.1. We're trying to GET the web directory of the server by using HTTP Ver. 1.1. A little lower is the User-agent info, which tells the server what kind of info my computer can accept.

After this packet, the server will send TCP acknowledgments to you, and HTTP will there on out be used for application layer commands.

Once TCP is done, HTTP will give you another packet that says "Response code 200". - This means you've had a successful request method.

When we need to upload data to a webserver, such as when you post a tweet or type to someone in an IRC, you are creating a POST packet via HTTP in Wireshark. These need a three way handshake (request - response - OK), from client to server. This packet will be labeled as a POST packet, and the Line-Based Text Data will show you the contents of the data posted. Status code 302 means FOUND, which will happen once the connection has been made.

Let me know what you think. Send me a comment below or email us at tips@hak5.org. And be sure to check out our sister show, Hak5 for more great stuff just like this. I'll be there, reminding you to trust your technolust.