Hypertext Transfer Protocol (HTTP) with Wireshark

Introduction to HTTP

The Hypertext Transfer Protocol (HTTP) is the protocol that is used to request and serve web content. HTTP is a plaintext protocol that runs on port 80. However, efforts to increase the security of the internet have pushed many websites to use HTTPS, which encrypts traffic using TLS and serves it over port 443.

HTTP in Wireshark

HTTP traffic shows up as a light green in Wireshark and can be filtered using http. However, since HTTP runs over TCP and http only shows packets using the HTTP protocol, this can miss many of the packets associated with the session because they are TCP packets (SYN, ACK and so on). Wireshark reassembles all of the actual data packets containing a particular webpage and displays it within the packet labeled as the HTTP response.

The image above shows the structure of an HTTP request in Wireshark. This includes the requested URL and a variety of different HTTP headers, including the host, user-agent and several others. These headers are under the control of the user and are intended for use by the server, so they can be modified by an attacker who controls both ends of the connection, making them ideal for passing data during an attack.

The image above shows the structure of an HTTP response in Wireshark. It is very similar to that of an HTTP request, except that it substitutes an HTTP response message for the URL and uses a different collection of headers. The actual data being carried by the HTTP protocol (the requested web page) is encapsulated within the data section of the HTTP packet.

HTTP analysis for incident response

Since HTTP is used for requesting and serving webpages, it is the most common type of traffic present on most networks and is not (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Howard Poston. Read the original post at: