Watching http in wireshark
Wireshark reassembles TCP Segments. For teaching purposes, I'd like to see the actual packets (not the reassembled TCP Segments) that flow on a network when you access a webpage.
Can I do that with Wireshark? If not, can you suggest a free program that will let me see the basic, fundamental packets?
3 Answers
You should disable TCP Reassembly and IP Reassembly in Wireshark. These features change packet bytes. For example IP Reassembly shows IP and TCP headers in the last packet of datagram where as they are in the first packet.
To disable these features:
- Select one packet in
Wireshark - Select its
IP Headerand Right Click on it - Unckeck Reassemble Fragmented IPv4 datagrams under Protocol Preferences
- Select packet's
TCP Headerand Right Click on it - Uncked Allow subdissector to reassemble TCP streams under Protocol Preferences
This changes are saved automatically and are valid in other running of Wireshark
If you want to view only http packets in wireshark
- Start the wireshark
- Select your network adaptor
- In Filter box enter 'http' and then apply.
This can help you filter out non-HTTP traffic. Then you can simply look at the packets:
6.1. Viewing packets you have captured
Once you have captured some packets, or you have opened a previously saved capture file, you can view the packets that are displayed in the packet list pane by simply clicking on a packet in the packet list pane, which will bring up the selected packet in the tree view and byte view panes.
You can also disable packet reassembling as shown here. Fiddler may also be a good choice if you want to look at HTTP layer.
