analyze web traffic - wordpress.com...9 browser web traffic pcap analysis i have pcap for...
TRANSCRIPT
Analyze WEB traffic
This document is intended for beginners to understand the web traffic flow from a browser point of view.
1
TABLE OF CONTENTS
Web Traffic Analysis on browser________________________________________________________________________________________________________2
Web Traffic Analysis using Wireshark____________________________________________________________________________________________________9
2
Browser Web Traffic Analysis
➢ Most browser traffic is HTTP traffic
➢ For beginners understand these basic HTTP methods and response codes
HTTP methods:
➔ GET
➔ POST
➔ PUT
➔ CONNECT
HTTP response codes:
➔ 1XX Informational
➔ 2XX Success
➔ 3XX Redirection
➔ 4XX Client error
➔ 5XX Server error
3
Launch chrome -> go to settings -> More tools -> Developer tools
4
Type in the URL
• In this example I entered cacert.org. Before any request is sent, machine’s queries for cacert.com IP address. You will
see it in the packet capture section.
• Since I didn’t append https, browser default considers it to be an http request and send my request
You see a 302 location redirection from the OCS and the location address is http://www.cacert.org
5
• Browser’s next request would be http://www.cacert.org
• OCS responds with 200 OK
6
Click on Response -> you see the content of the http request.
The HTML contains the all different pieces to form the web page.
7
Based on the HTML response, browser queries subsequent requests to get the contains of web page.
8
9
Browser Web Traffic PCAP Analysis
I have pcap for iambest.com .Below example shows the traffic flow
When you enter “iambest.com”, your machine first looks up for IP address. My DNS is set to 192.168.1.1. To view your DNS
server go to command prompt and type in ipconfig/all
• DNS query is sent to 192.168.1.1 for iambest.com
• DNS server replies with an IP address fir iambest.com
Next your machine tries to find out if the destination server is reachable and is listening on port 80 or 443 depending on what
you enter in browser (ex. http://iambest.com or https://iambest.com)
This is called TCP three way handshake. If you are not receiving syn-ack 2nd packet this means the firewall could be blocking or
the destination server is not ready to accept any request.
10
Once TCP three way handshake is complete, http requests are sent as below.
You will see your GET and 200 OK response.
Note: I have shown cacert.com example in browser and iambest.com example in pcap. This is to encourage you to perform a
pcap on your machine for cacert.com and do a analysis for iambest.com in your browser.