Understanding TCP/IP Protocol: Capturing Network Requests with Wireshark

We configured a local service that can be accessed through a browser to capture network request data on localhost 127.0.0.1 using Wireshark. Start the local service and access 127.0.0.1 in the browser to observe the packets captured in Wireshark, focusing on those using the TCP/IP protocol.

The browser needs to establish a stable connection with the server using the “three-way handshake” as per the TCP/IP protocol specifications. This corresponds to the first three packets captured by Wireshark. After the SYN, SYN/ACK, and ACK packets, the TCP connection between the browser and the server is established.

Once the TCP connection channel is set up, the HTTP protocol can operate. The browser, following HTTP specifications, returns a “GET / HTTP1.1” request message. Upon receiving this message, the server sends an acknowledgment at the TCP protocol level, indicating receipt of the request from the browser. However, this acknowledgment message is not visible to the HTTP protocol because it occurs at the TCP level.

After receiving the request, the server processes it internally. It then packages the data it intends to return into a message according to HTTP specifications and sends it to the browser, represented by the 6th packet received by Wireshark, “HTTP 1.1 200 OK.” Similarly, the browser sends an acknowledgment back to the server upon receiving this packet, which is the 7th packet captured by Wireshark, a TCP ACK confirmation.

Upon receiving the HTTP data packet from the server, the browser parses and displays the returned result on the web page. This concludes the entire process of accessing the server once through the browser. It is important to note that, since we are utilizing the HTTP/1.1 protocol, the TCP connection is not immediately closed after a single HTTP request. Therefore, the “four-way handshake” of TCP is absent.

The process of accessing the server through a browser:

1. The browser obtains the IP address and port number we entered;
2. The browser establishes a connection with the server using the TCP three-way handshake;
3. The browser sends an HTTP message to the server;
4. The server receives the request message (and sends a TCP-ACK confirmation) and sends the response HTTP message to the browser;
5. The browser receives the response message (and sends a TCP-ACK confirmation) to parse and display.
6. Access using domain name

In the previous steps, we directly used the IP address for network access, bypassing the domain name resolution process. When we make network requests using a domain name, domain name resolution must be performed before establishing the TCP connection.

Process of domain name resolution in the browser:

1. Check the browser’s cache; if found, use the IP to establish the TCP connection;
2. Search for the IP corresponding to the domain in the system’s cache;
3. Check the hosts file in the system for the domain and IP address correspondence;
4. Perform network-based domain name resolution:

4-1. Check if there is a cache with the ISP, large company proxies, and DNS;

4-2. Access the DNS system for domain name resolution (root DNS, top-level DNS, authoritative DNS)