编程知识 cdmana.com

HTTP protocol for Wireshark packet capture analysis

HTTP Is a stateless protocol . No state The client (Web browser ) and There is no connection between servers You need to build persistent Links . this It means that when a client makes a request to the server , then Web Server returns response ”*”(response) , The connection is closed , Information about the connection is not kept on the server side .HTTP Abide by On request (Request)/ The reply (Response) Model . client (Web browser ) towards Web The server sends the request , Web The server processes the request and returns the appropriate response . all HTTP even All of them are constructed into a set of requests and replies . stay In the process To pass 4 individual Stage , Include establishing connections 、 Send request information 、 send out Respond to messages and close connections , As shown in the figure below :

1.png

below Describe in detail the HTTP Workflow , as follows

client adopt TCP Three handshakes to establish a connection with the server .

TCP After the connection is established successfully , towards Server send HTTP request .

The server Receive client's HTTP After the request , Will return to answer , And send data to the client

client adopt TCP Four disconnects , Disconnect from server TCP Connect .

In today's experiment , We will simulate the data transmission between two machines in LAN , Good configuration HFS Software , To capture and analyze HTTP data .

According to the experimental environment , The steps of this experiment are as follows :

1. To configure HFS Software , obtain HTTP Of GET Data and POST data

2. analysis HTTP Data packets

Actual combat step one To configure HFS Software , obtain HTTP Of GET Data and POST data

stay In the LAN environment , We use a small tool to implement HTTP The server . First in Configuration on the server HFS

1 To configure HFS Software

Local decompression , Get into Folder , Right click to run as administrator . as follows

2.png

We First configure HFS , Here you can To achieve our experiment requirement , Get GET and POST Data package is enough . Click on the top left corner The port of , Input port , Here we use 8080 , as follows , Click ok

3.png

stay Virtual file system area , Right click , choice “ From disk Add a directory ”, Choose a reality Existing directory ( Note here that it must be real ), eject Select directory type for Choose from ” real Catalog ” , here We use the unzip directory on the desktop , You can see the directory It's red

4.png

Right click Catalog , Click Settings ” User name and password ”, Enter... In the pop-up dialog box User name and password (demo/demo ), Click on determine .

5.png

Right click Catalog , Click on ” attribute ”, choice ” Upload ”sheet page , Choose anybody . Click ok , So that we Just configure it HFS Tools , Can be in The client accessed through the browser .

2 obtain HTTP Of GET Data and POST data

below We're testing people On the machine , open Wireshark Caught tools , Filter condition input ip.addr == 10.1.1.33 , Then enter the server in HFS give The website of , wait for Server response . success after , It can be on the tester's machine You see the page on the browser , as follows :

image

Now , We've got here we are HTTP Of GET Method . We will Wireshark The acquired packet is saved as HTTP-Get.

Click on Page login , Enter the user name and password in the dialog box (demo/demo ), determine Then wait Server response . success as follows

7.png

Next , Double click the folder on the page ( wait for Server response ), Restart at the same time Wireshark , etc. Wait for the page to refresh successfully ,8.png

Such as Upper figure , Meeting On the left side See the button , Click on ” Upload ” Button , choice file , Here we choose the one on the desktop “http-post.txt”, Click on Upload . wait for Server response . Tips Upload successful , as follows

9.png

We keep Grab package file , name by HTTP-Post. Task a , Just Come here .

Actual combat step two analysis HTTP Data packets

1 HTTP message Format

HTTP By request and response Two parts , So there are two corresponding message formats . The following are Introduce HTTP Request message format and HTTP Respond to Message format .

HTTP Request message format

10.png

above In the table , The first 1 That's ok by “ Request line ” , The first 2 、3、4 Behavior “ request Head ”, The first 5 That's ok It's a blank line , The first 6 That's ok by “ request Text ”. The following are Introduce this 4 part :

(1) request That's ok : from 3 Part of it is made up of , Respectively : Request method 、URL( See remarks 1) And the protocol version , Separated by spaces , The request method includes GET、POST etc. . The format of the protocol version is :HTTP/ The major version number . Sub version number , Commonly used HTTP/1.0 and HTTP/1.1.

(2) The request header contains a lot of useful information about the client environment and the request body . Request header from “ keyword : value ” Yes form , One pile per line , Use English between keywords and values “:” Separate .

(3) Blank line , This line is very important , essential . Indicates the end of the request header , Here is the body of the request .

(4) Request body : Optional part , such as GET The request has no request body ;POST For example, submit the form data as the request body .

HTTP Response message format

11.png

above In the table , The first 1 That's ok by “ state That's ok ” , The first 2 、3、4 Behavior “ Respond to Head ”, The first 5 That's ok It's a blank line , The first 6 That's ok by “ Respond to Text ”. The following are Introduce this 4 part :

(1) state Cause of action from 3 Part of it is made up of , Respectively : Protocol version , Status code , Status code description , Separated by spaces . Status code is 3 Digit number ,200~299 The status code of the system indicates success ,300~399 Status code refers to resource redirection ,400~499 The status code of refers to the client request error ,500~599 The status code of refers to the server error (HTTP/1.1 An informational status code was introduced into the protocol , The scope is 100~199). Here are a few common :

Status code explain
200 Response successful
400 Client request has syntax error , Not recognized by the server
404 The requested resource does not exist
500 Server internal error

(3) Blank line , This line is very important , essential . Indicates the end of the response header

(4) Respond to Text , The document returned by the server , The most common is HTML Webpage .

2 HTTP My head field

stay HTTP Of The request message And the response message , All contain header fields . Header fields It is divided into 4 Kind of , Which requests The header field and the reply header field only appear in the request message and the reply message respectively , Common header and entity header can appear in both messages , But the entity header is only if When the message contains entity data Will appear . The following are Introduce this 4 Kind of Domain names and functions in the header domain .

HTTP Request header

Header explain
Accept Specify the type of content the client can receive
Accept-Charset The character encoding set that the browser can accept .
Accept-Encoding Specify what the browser can support web The server returns the content compression encoding type .
Accept-Language Browser acceptable language
Accept-Ranges You can request one or more sub range fields of a web entity
Authorization HTTP Authorized certificate of Authorization
Cache-Control Specifies the caching mechanism that requests and responses follow
Connection Indicates whether a persistent connection is required .(HTTP 1.1 Persistent connection by default )
Cookie HTTP When the request is sent , Will save all the cookie Value sent to web The server .
Content-Length Requested content length
Content-Type The requested corresponds to the entity MIME Information
Date The date and time when the request was sent
Expect The specific server behavior of the request
From Of the requesting user Email
Host Specify the domain name and port number of the requested server
If-Match Only the request content matches the entity is valid
If-Modified-Since If the requested part is modified after the specified time, the request succeeds , If it is not modified, it will return 304 Code
If-None-Match If the content does not change, return 304 Code , The parameter is sent by the server Etag, In response to the server Etag Compare and judge whether it changes
If-Range If the entity does not change , The server sends the missing part of the client , Otherwise send the whole entity . The parameter is Etag
If-Unmodified-Since The request succeeds only if the entity has not been modified after the specified time
Max-Forwards Limit the time that information is sent through agents and gateways
Pragma Used to contain implementation specific instructions
Proxy-Authorization Authorization certificate to connect to the agent
Range Request only a part of the entity , Specified scope
Referer Address of previous web page , The current request page follows , That's the way
TE The transmission code that the client is willing to accept , And notify the server to accept the ending header information
Upgrade Specify a transport protocol to the server for conversion ( If the support )
User-Agent User-Agent The content of contains the requested user information
Via Notify intermediate gateway or proxy address , Communication protocol
Warning Warning about the message entity
Accept Specify the type of content the client can receive

The reply The header field appears only in the reply message , yes Web Some states and requirements provided by the server to the browser . as follows

HTTP The reply Header fields

Header explain
Accept-Ranges Indicates whether the server supports the specified range request and which type of segment request
Age The estimated time from the original server to the formation of the proxy cache ( In seconds , non-negative )
Allow An effective request for a network resource , Return... If not allowed 405
Cache-Control Tell all caching mechanisms whether they can cache and what type
Content-Encoding web Server supported return content compression encoding type .
Content-Language The language of the responder
Content-Length Length of response body
Content-Location Request another alternative address for the resource
Content-MD5 Return to the resource's MD5 Check value
Content-Range The byte position of this part in the whole return body
Content-Type Return the MIME type
Date When the original server message was sent
ETag The current value of the entity tag of the request variable
Expires The date and time when the response expires
Last-Modified The last modification time of the requested resource
Location Used to redirect the receiver to a non request URL To complete a request or identify a new resource
Pragma Including implementing specific instructions , It can be applied to any receiver on the response chain
Proxy-Authenticate It points out the authentication scheme and the URL Parameters on
Retry-After If the entity is not desirable for the time being , Notify the client to try again after the specified time
Server web Server software name
Set-Cookie Set up Http Cookie
Trailer It is pointed out that the header domain exists at the end of block transmission coding
Transfer-Encoding File transfer code
Vary Tell the downstream agent whether to use cache response or request from the original server
Via Tell the proxy where the response is sent
Warning Warn entities of possible problems
WWW-Authenticate Indicates the authorization scheme that the client request entity should use
refresh Apply to redirect or a new resource is created , stay 5 Seconds later redirect ( By Netscape , Supported by most browsers )

Universal The header field can be used in In the request message , It can also be used to answer messages .

HTTP Universal Header fields

Header explain
Cache-Control Cache-Control Specifies the caching mechanism that requests and responses follow , It can come with a lot of specified values .
Connection Indicates whether a persistent connection is required
Date Indicates when the message was sent
Pragma Pragma Header fields are used to contain implementation specific instructions , The most common is Pragma:no-cache, Used to define page caching
Trailer Said to Chunked Which header fields exist at the end of the entity data transmitted by encoding
Transfer-Encoding WEB The server indicates itself to the body of the response message ( It's not the object in the message body ) What kind of coding has been made , For example, whether it is divided into blocks (chunked), for example :Transfer-Encoding: chunked
Upgrade It can specify another protocol that may be completely different , Such as HTTP/1.1 The client can send a message to the server HTTP/1.0 request , It contains the value “HTTP/1.1” Of Update Head , In this way, the client can test whether the server also uses HTTP/1.1 了 .
Via List from client to OCS Or what proxy servers the response in the opposite direction passed through , What kind of agreement did they use ( And version ) Sent request .
Warning Used to warn that caching operations or transformations applied to entity data may lack semantic transparency .

Only if the request and reply messages contain entity data , The entity header domain is needed . The entity data in the request message is some data sent by the browser to web Data submitted by the server , For example, in the browser POST When you submit a form in this way , The browser encapsulates the data in the form in the entity data part of the request message . The entity data in the reply message is web The media data sent by the server to the browser , Such as web page , Pictures and documents, etc . The entity header field describes some attributes of the entity data . The following table

HTTP Entity header

Header explain
Allow List the information requested by URI The set of methods supported by the identified resource
Content-Encoding Explain how entity data is encoded
Content-Language Explain the natural language used by entity data
Content-Length Describe the length of the entity data
Content-Location Describe the resource location of the entity data
Content-MD5 Give entity data MD5 value , Used to ensure the integrity of entity data
Content-Range Used to specify the insertion position of a part of the entire entity , He also indicates the length of the whole entity . At the server, a partial response is returned to the client , It must describe the scope of the response and the entire entity length
Content-Type Media type used to indicate the entity to the receiver , Appoint HEAD Method to the receiver , or GET Method
Expires Specify the validity period of the entity data
Last-Modified Specify the last revision time to save content on the server .

3 analysis GET Methodical HTTP Data packets

We With HTTP-Get Take the packet as an example , analysis GET Methodical HTTP Request and response packets .

analysis HTTP Request package

We Open the packet , Enter the filter condition ip.addr == 10.1.1.33, as follows

12.png

The first three yes TCP Three handshakes of , The fourth one Packets are sent from the client to the server Sent HTTP Request package , Let's learn and analyze ,

13.png

HTTP Previous agreements , This time we Do not explain , Students who don't understand can read the previous experiment , Let's see HTTP agreement .

Hypertext Transfer Protocol

GET / HTTP/1.1\r\n # Request line information

Expert Info (Chat/Sequence): GET / HTTP/1.1\r\n # Expert information

GET / HTTP/1.1\r\n

Severity level: Chat

Group: Sequence

Request Method: GET # The request method is GET

Request URI: / # Requested URI

Request Version: HTTP/1.1 # The requested version is HTTP/1.1

Host: 10.1.1.33:8080\r\n # Requested host

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0\r\n # Browser type

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8\r\n # Type of request

Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3\r\n # Request language

Accept-Encoding: gzip, deflate\r\n # The encoding format of the request

Connection: keep-alive\r\n # Use persistent connections

\r\n # Blank line

Full request URI: 10.1.1.33:8080/ # Requested URI by 10.1.1.33:8080

HTTP request 1/8

Response in frame: 2770 # The reply It's No 2770 frame

Next request in frame: 2775 # The next request is 2775 frame

above Namely HTTP Information about the request package , You can see that the client uses HTTP/1.1 edition Sent... To the server GEY request , request visit 10.1.1.33 Of The server . Will be more than The information is filled into the message In the format , as follows

GET Methodical HTTP Request message format

GET Space / Space HTTP/1.1 \r \n
Accept : text/html,application/xhtml+xml,application/xml \r \n
Connection : keep-alive \r \n
\r \n
Full request URI: 10.1.1.33:8080/
analysis HTTP Response package

According to the request package Information about , We already know , The response package is the second 2770 frame , So let's see

14.png

stay HTTP Before , We see that The picture below shows ,TCP restructuring fragment , These fragments are shared 2270 individual byte , Because more than 了 TCP The maximum data segment of a packet (MSS ), So put the data in TCP The layers are segmented . From below Information about , You can see Packet size after disconnection , Such as #2767 (247 ), among 2767 Express Frame number , size by 247 individual byte .

15.png

below Look at HTTP The specific part

Hypertext Transfer Protocol

HTTP/1.1 200 OK\r\n # Response line information

Expert Info (Chat/Sequence): HTTP/1.1 200 OK\r\n # Experts Information

HTTP/1.1 200 OK\r\n #HTTP Response information , The response code is 200

Severity level: Chat

Group: Sequence

Request Version: HTTP/1.1 # Ask for it.

Status Code: 200 # Status code

Response Phrase: OK # Response phrase

Content-Type: text/html\r\n # The content type of the response

Content-Length: 2023\r\n # package The length of

Content length: 2023

Accept-Ranges: bytes\r\n # Server support Request : byte

Server: HFS 2.3 beta\r\n # Server type

Set-Cookie: HFS_SID=0.248448607278988; path=/; \r\n # Set up Http Cookie

Cache-Control: no-cache, no-store, must-revalidate, max-age=-1\r\n # Cache control

Content-Encoding: gzip\r\n # Compression format of entity data

\r\n # Blank line

HTTP response 1/8 #HTTP Respond to

Time since request: 0.015248000 seconds # Response usage time

Request in frame: 2763 # The requested frame number is 2763

Next request in frame: 2775 # Next request Of Frame number 2775

Next response in frame: 2778 # The next response The frame number of is 2778

Content-encoded entity body (gzip): 2023 bytes -> 4375 bytes # Content code (gzip )

Line-based text data: text/html # Line based text data

according to Above information , You can know that the server uses HTTP/1.1 200 OK Responded to Client requests . The information Fill in the message format , as follows

GET Methodical HTTP Response message format

HTTP/1.1 Space 200 Space OK \r \n
Content-Type : text/html \r \n
Content-Encoding : gzip \r \n
\r \n
Omit

4 analysis POST Methodical HTTP Data packets

analysis HTTP Request package

below We use HTTP-Post For example , analysis POST Methodical HTTP Requests and responses . open Data packets , Enter the filter condition ip.addr ==10.1.1.33, Show Out of HTTP in ,Info There are also POST The can , as follows

16.png

We Start the analysis

Hypertext Transfer Protocol #HTTP agreement

POST /hfs2_3b287/ HTTP/1.1\r\n # Request line

Expert Info (Chat/Sequence): POST /hfs2_3b287/ HTTP/1.1\r\n # Experts Information

POST /hfs2_3b287/ HTTP/1.1\r\n

Severity level: Chat

Group: Sequence

Request Method: POST # The request method is POST

Request URI: /hfs2_3b287/ # request Of URI

Request Version: HTTP/1.1 # request Version of

Host: 10.1.1.33:8080\r\n # The host used

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0\r\n # The type of browser used

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8\r\n # The type that the browser accepts

Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3\r\n # The language you want to use

Accept-Encoding: gzip, deflate\r\n # Available encoding formats , Here is gzip and deflate

Referer: 10.1.1.33:8080/hfs2_3b287/\r\n # from Contains URL The page initiates the request

Cookie: HFS_SID=0.248448607278988\r\n #Cookie Information

Cookie pair: HFS_SID=0.248448607278988

Authorization: Basic ZGVtbzpkZW1v\r\n # to grant authorization Certificate information

Credentials: demo:demo # Login user name and password

Connection: keep-alive\r\n # Use persistent connections

Content-Type:multipart/form-data;boundary=---------------------------54542580413055\r\n # The type of content requested

Content-Length: 367\r\n # Length of package

Content length: 367

\r\n # Blank line

Full request URI: 10.1.1.33:8080/hfs2_3b287/ # Requested URI by 10.1.1.33:8080/hfs2_3b287

HTTP request 1/6

Response in frame: 3800 # The frame number of the response

Next request in frame: 3802 # The next request is Just right

above Is the use of POST Methodical HTTP Request package , You can see the requested connection, login user name and password, etc . The above Fill in the message format , as follows

POST Methodical HTTP Request message format

POST Space /hfs2_3b287/ Space HTTP/1.1 \r \n
Accept : text/html,application/xhtml+xml,application/xml \r \n
Content-Length : 367 \r \n
\r \n
Ignore

in addition , We stay HTTP Below , See the following

17.png

type Of Multipart/form-data It's a way to upload files . Multipart/form-data In fact, it is the way that the browser uploads files with forms . The most common scenario is : When writing an email , Add an attachment to the message , Attachments are usually added using forms , Also is to use multipart/form-data Upload the format to the server . We In the experiment, we asked The server uploaded a file , So that's the type .

stay see Wireshark in Use

​ First of all to see wireshark The fields in are related to Multipart/form-data Correspondence of : MIME Multipart Media Encapsulation : On behalf of the entire Multipart/form-data Upload the data in the file .

​ Encapsulated multipart part : Data representing different parts of the form .

​ Boundary : Used to separate data from different parts of a form .

​ secondly ,

​ 1) MIME Multipart Media Encapsulation, Type: multipart/form-data, Boundary: "---------------------------54542580413055"

​ This line points out that the request is multipart/form-data Format , And boundary yes “----------54542580413055” This string .

​ 2 ) About Boundary : Boundary : Used to separate data from different parts of a form . actually , Each part of the data begins with “--”+boundary At the beginning ( This is a MIME The standard content described in the standard ).

​ 3 ) Encapsulated multipart part : Follow closely boundary What's important is the description of that part of the data :

​ Content-Dispostion:form-data;name="Filename"\r\n

​ every last part At least one name And a content part .

It can be downloaded from above multipart/form-data in , See the name of the text we uploaded http-post.txt, The content is “This is demo for HTTP POST”.

analysis HTTP Respond to package

according to Wireshark Real response packet frames , Let's take a look at the second 3800 frame .

18.png

Hypertext Transfer Protocol #HTTP agreement

HTTP/1.1 200 OK\r\n # Response line

Expert Info (Chat/Sequence): HTTP/1.1 200 OK\r\n # Experts Information

HTTP/1.1 200 OK\r\n # Response information

Severity level: Chat

Group: Sequence

Request Version: HTTP/1.1 # Request version

Status Code: 200 # Status code

Response Phrase: OK # Respond to The phrase

Content-Type: text/html\r\n # # The response package is similar to

Content-Length: 570\r\n # Response packet length

Content length: 570

Accept-Ranges: bytes\r\n # Server support Request : byte

Server: HFS 2.3 beta\r\n #web Server type

Content-Encoding: gzip\r\n # Compression format of entity data

\r\n # Blank line

HTTP response 1/6 # Respond to

Time since request: 0.008774000 seconds # Time to respond to the request

Request in frame: 3798 # request Frame number of

Next request in frame: 3802 # The frame number of the next request

Next response in frame: 3804 # The next response is Frame number

Content-encoded entity body (gzip): 570 bytes -> 866 bytes # Content code (gzip )

Line-based text data: text/html # Text content

above Namely POST Methodical HTTP Response package , You can see that the server sent to the client HTTP/1.1 200 OK Respond to 了 HTTP Request package . The server type is HFS 2.3 beta, Fill the data into the message format

POST Methodical HTTP Response message format

HTTP/1.1 Space 200 Space OK \r \n
Server : HFS 2.3 beta \r \n
Content-Encoding : gzip \r \n
\r \n
Omit

In the experiment, we Explained The main GET and POST Method , Can grab the bag consider , Learn other ways , Start to improve your ability .

The related experiments in this paper involve :Wireshark Packet capture analysis HTTP agreement

版权声明
本文为[Hetian Wangan Laboratory]所创,转载请带上原文链接,感谢
https://cdmana.com/2021/02/20210218165509259Q.html

Scroll to Top