iTranslated by AI

The content below is an AI-generated translation. This is an experimental feature, and may contain errors. View original article

🦈

Exploring Packet Contents with Wireshark

2024/08/25に公開

 IntroductionI'm going to take a look inside packets using Wireshark 🕵
Method I referenced:

https://www.youtube.com/watch?v=fmN3xrqEz_0&list=WL&index=9
For someone like me who is at a "pre-beginner" level, this video was very easy to understand, so I'm going to follow its lead (/・ω・)/

 Let's give it a try
 <What we'll do this time>I will observe what is happening during the communication with http://www.chiseki.go.jp/ 🔍
Apparently HTTP is easier to understand because it's not encrypted, so I'll use it.

 <Preparation>Install the tool for packet analysis: Wireshark.

https://www.wireshark.org/download.html

 <Let's do it!>
 1. Perform Packet CaptureThere is an explanation of the method in this video↓, so I will try capturing it as a reference📷

https://www.youtube.com/watch?v=eM8mmNwrIE8
Open the target site (http://www.chiseki.go.jp/) in your browser.
Select [Ethernet] in Wireshark and start the capture.
Once started, quickly return to the browser and reload the page.
After refreshing, return to Wireshark and click the stop button in the top left.

Apparently, if you don't stop it soon, it will accumulate too many packets.



 2. Looking inside the packetsWireshark's table contains the following information:


No
Time
Source
Destination
Protocol
Length
Info


Packet No
Time since start of communication
Source IP address
Destination IP address
Protocol
Packet length
Information

To summarize roughly what is happening here:
Establishment of connection
Data transmission/reception
Disconnection
🦈 Wireshark Quick TipsIf there are many packets and it's hard to see the content, you can filter by "tcp" or "http" in the [display filter] to see interactions in the target protocol.



Also, when you want to focus on a specific conversation (interaction), using [Conversation Filter] or [Colorize Conversation] makes it easier to see.


 1. Connection EstablishmentThese three interactions confirm whether it's okay to transfer data between the computer and the server.
📍 In technical terms, this is the three-way handshake part.
[SYN]: The part where the PC asks the http://www.chiseki.go.jp/ server, "Is it okay to communicate?"
[SYN, ACK]: The part where the server replies, "Sure, is it okay for me to communicate as well?"
[ACK]: The part where the PC replies, "OK~"


!SYN = synchronize

ACK = acknowledgment

Keeping these origins in the back of your mind might make it easier to visualize (-ω-)/
By the way, if you type 203.180.136.104 directly into your web browser, the http://www.chiseki.go.jp/ site will be displayed, confirming that you are looking at the target packets.

 2. Data Transmission/ReceptionThese are the packets involved in sending and receiving data 📦

No. 110 GET HTTP is the part where it requests the site content from www.chiseki.go.jp.

👇
The site content is being delivered to the PC across No. 111-116.

For example, No. 111 [ACK] is like "Request received!", and No. 115 HTTP 200 OK means the request was successful.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/200
What is PSH?The "PSH (Push)" flag is used to request that received data be immediately handed over to the upper-layer application. It is primarily used to prompt processing on the receiving side and improve response performance.
So it says. (I see...)

https://ascii.jp/elem/000/000/619/619702/
👇

In response to No. 115 "200 Success!", the PC side returns an [ACK] in No. 116 to confirm "I've confirmed the success," and the data transmission/reception is complete.


 3. DisconnectionOnce the data exchange is finished, confirmation steps are taken to properly disconnect (-ω-)/ How polite.
No. 151 [FIN, ACK] is the server asking the PC, "Is it okay to disconnect?"
No. 168 [FIN, ACK] is the PC replying to the server, "Sure, is it okay for me to disconnect too?"
Receiving that, the server returns an [ACK] in No. 174, saying "OK~"

That's the flow.



 +α Let's look at the site informationIn the video I referenced for the packet capture method, how to view the content of the captured site was also introduced, so I'll try that as well. (It starts around 5:27~)
Check No. 115 where HTTP 200 OK is located. Since the Request URI is "http://www.chiseki.go.jp/", this should be the right one ( ..)φ

👇
Using the HTTP Stream feature to look at the contents of the HTTP communication.

Right-click on the target packet > [Follow] > [HTTP Stream].

👇

The request (GET) part and the response (200 OK) part will be displayed.
Everything below <!DOCTYPE html> is the HTML content used on the site. (I can see some code meant for IE support...)
📍 If you set the character encoding to UTF-8 in [Show data as], Japanese text will also be displayed correctly (・o・)


 ConclusionIn this post, I used Wireshark to take a look at the flow of packet interactions in HTTP communication.

Instead of just a simple request and response, I was able to actually see that confirmation [ACK] steps are included to ensure things are done correctly, so I feel like my understanding has leveled up a bit 🦈🦈🦈
By the way, as for HTTPS communication, it seems you can peek into it if you are a client that holds the key 🔑

https://www.youtube.com/watch?v=A69du3TBMF8