Using Wireshark version 2.6.3 as an example, as shown in the image below, the 803 highlighted in red is an HTTP GET request packet. The 809 and 810 records highlighted in green are response packets. Which one is the response packet for 803? Here are three methods to identify it;
/>
Identification through Transmission Control Protocol Information
- As shown in the image below, after clicking on the 803 record, open the transport layer information in the details window below and check the value of the Next sequence number field, which is 282:
/>
- Open the details of records 809 and 810 respectively, check their transport layer information, and find the Acknowledgment number field. The record that equals 282 is the response information for 803, as shown in the image below:
At this point, the response corresponding to 803 has been found, and you can continue to open the HTTP layer data to view the details of the response information;
Identification via Wireshark’s Recognition Result
The method of identifying through transmission control protocol information is somewhat cumbersome, requiring opening all records and checking them one by one. Wireshark has provided a more convenient method:
- Expand the HTTP layer of record 803, as shown in the image below, the content in the red box is clickable. Double-click to immediately open the response record 809:
- When viewing response data, there is also a corresponding request packet link. Double-clicking the link can open the corresponding request data packet. Taking the 809 record as an example, you can double-click the content in the red box in the HTTP layer of the image below to directly open the content of 803:
Wireshark’s Marking
Lastly, the simplest method is introduced. As shown in the image below, the right-facing arrow in the red box represents a request, and the left-facing arrow in the blue box represents the corresponding response:
The above are the three ways to find the request-response association. I hope it can provide you with a reference when using Wireshark;