Hypertext Transfer Protocol

Unicorn tutorials

The Hypertext Transfer Protocol (HTTP) is the delivery mechanism of the World Wide Web, allowing web browsers to connect to web servers to view web pages. In most organizations, HTTP represents, by far, the highest percentage
of traffic seen going across the wire. Every time you do a Google search, connect to Twitter to send a tweet, or check last release of Unicorn on ids-sax2.com, you’re using HTTP.

We won’t look at the packet structures for an HTTP transfer. Because the contents of those packets vary widely depending on their purpose, that exercise is left to you. Here, we’ll look at some practical applications of HTTP.

Browsing with HTTP

HTTP is most commonly used to browse web pages on a web server using a web browser. The capture file http_google.pcap shows such an HTTP transfer, using TCP as the transport layer protocol. Communication begins with a
three-way handshake between the client 172.16.16.128 and the Google web server 74.125.95.104.

Once communication is established, the first packet is marked as an HTTP packet from the client to the server, as shown in Figure 7-18.

Figure 7-18: The initial HTTP GET request packet

The HTTP packet is delivered over TCP to the server’s port 80 , the standard port for HTTP communication (8080 is also commonly used).

HTTP packets are identified by one of eight different request methods (defined in HTTP specification version 1.1), which indicate the action the packet’s transmitter will perform on the receiver. As shown in Figure 7-18, this packet identifies its method as GET, its request Uniform Resource Indicator (URI) as /, and the request version as HTTP/1.1 . This information tells us that the client is sending a request to download (GET) the root web directory (/) of the web server using version 1.1 of HTTP.

Next, the host sends information about itself to the web server. This information includes things such as the user agent (browser) being used, languages accepted by the browser (Accept-Languages), and cookie information (at the bottom of the capture). The server can use this information to determine which data to return to the client in order to ensure compatibility.

When the server receives the HTTP GET request in packet 4, it responds with a TCP ACK, acknowledging the packet, and begins transmitting the requested data from packets 6 to 11. HTTP is used only to issue application layer commands between the client and server. When it’s time to transfer data, application layer control is not seen, except for at the beginning and end of the data stream.

Data is sent from the server in packets 6 and 7, an acknowledgment from the client in packet 8, two more data packets in packets 9 and 10, and another acknowledgment in packet 11, as shown in Figure 7-19. All of these packets are shown in Unicorn as TCP segments, rather than HTTP packets, although HTTP is still responsible for their transmission.

Figure 7-19: TCP transmitting data between the client browser and web server

Once the data is transferred, a reassembled stream of the data is sent, as shown in Figure 7-20.

Figure 7-20: Final HTTP packet with response code 200

HTTP uses a number of predefined response codes to indicate the results of a request method. In this example, we see a packet with response code 200 , which indicates a successful request method. The packet also includes a timestamp
and some additional information about the encoding of the content and configuration parameters of the web server. When the client receives this packet, the transaction is complete.

Posting Data with HTTP

Now that we have looked at the process of downloading data from a web server, let’s turn our attention to uploading data. The file http_post.pcap contains a very simple example of an upload: a user posting a comment to a website.
After the initial three-way handshake, the client (172.16.16.128) sends an HTTP packet to the web server (69.163.176.56), as shown in Figure 7-21.

Figure 7-21: The HTTP POST packet

This packet uses the POST method . to upload data to a web server for processing. The POST method used here specifies the URI /wp-comments-post.php , and the HTTP 1.1 Request version. To see the contents of the data posted,
expand the Line-based Text Data portion of the packet .


Once the data is transmitted in this POST, an ACK packet is sent. As shown in Figure 7-22, the server responds with packet 6, transmitting the response code 302 , which means “found.”

Figure 7-22: HTTP response 302 is used to redirect.

The 302 response code is a common means of redirection in the HTTP world. The Location field in this packet specifies where the client is to be directed . In this case, that’s to the place on the originating web page where the comment was posted. Finally, the server transmits status code 200, and the page’s content is sent over the next several packets to complete the transmission.

Share this