Analyze WEB traffic

This document is intended for beginners to understand the web traffic flow from a browser point of view.

1

TABLE OF CONTENTS

Web Traffic Analysis on browser________________________________________________________________________________________________________2

Web Traffic Analysis using Wireshark____________________________________________________________________________________________________9

2

Browser Web Traffic Analysis

➢ Most browser traffic is HTTP traffic

➢ For beginners understand these basic HTTP methods and response codes

HTTP methods:

➔ GET

➔ POST

➔ PUT

➔ CONNECT

HTTP response codes:

➔ 1XX Informational

➔ 2XX Success

➔ 3XX Redirection

➔ 4XX Client error

➔ 5XX Server error

3

Launch chrome -> go to settings -> More tools -> Developer tools

4

Type in the URL

• In this example I entered cacert.org. Before any request is sent, machine’s queries for cacert.com IP address. You will

see it in the packet capture section.

• Since I didn’t append https, browser default considers it to be an http request and send my request

You see a 302 location redirection from the OCS and the location address is http://www.cacert.org

5

• Browser’s next request would be http://www.cacert.org

• OCS responds with 200 OK

6

Click on Response -> you see the content of the http request.

The HTML contains the all different pieces to form the web page.

7

Based on the HTML response, browser queries subsequent requests to get the contains of web page.

8

9

Browser Web Traffic PCAP Analysis

I have pcap for iambest.com .Below example shows the traffic flow

When you enter “iambest.com”, your machine first looks up for IP address. My DNS is set to 192.168.1.1. To view your DNS

server go to command prompt and type in ipconfig/all

• DNS query is sent to 192.168.1.1 for iambest.com

• DNS server replies with an IP address fir iambest.com

Next your machine tries to find out if the destination server is reachable and is listening on port 80 or 443 depending on what

you enter in browser (ex. http://iambest.com or https://iambest.com)

This is called TCP three way handshake. If you are not receiving syn-ack 2nd packet this means the firewall could be blocking or

the destination server is not ready to accept any request.

10

Once TCP three way handshake is complete, http requests are sent as below.

You will see your GET and 200 OK response.

Note: I have shown cacert.com example in browser and iambest.com example in pcap. This is to encourage you to perform a

pcap on your machine for cacert.com and do a analysis for iambest.com in your browser.