HTTP PACKET ANALYSIS IN WIRESHARK

 Start up your web browser.

 Start up the Wireshark packet sniffer.

 Enter the following to your browser
https://filesampleshub.com/download/code/html/sample1.html .Your browser should display
the very simple, one-line HTML file.
 Stop the Wireshark packet analysis
 Answer the following questions, based on your Wireshark experimentation:

1. Is your browser running HTTP version 1.0 or 1.1? What version of HTTP is the server
running?

Browser is using HTTP 1.1, it's the default protocol for most browsers and servers that
support it. HTTP 1.1 introduced improvements over HTTP/1.0, like persistent
connections, chunked transfer encoding, and support for additional request methods.

2. What languages (if any) does your browser indicate that it can accept to the server?

Browser communicates with servers using English (United States) as the primary
language preference.
i. If we want to check right click on the page and inspect.
ii. Go to the network tab.
iii. Reload the page.
iv. Click on any request in the header tab under the request header.
v. Accept-Language: en-US, en;q=0.9,fr;q=0.8

3. What is the IP address of your computer? Of the gaia.cs.umass.edu server?

The IP address of my computer is IPv4 Address. . . . . . . . . : 192.168.10.14.

The server and address for gaia.cs.umass.edu server is given below:
i. Server: zte.home
ii. Address: 192.168.10.1

4. What is the status code returned from the server to your browser?

i. If we want to check the status code returned from the server right click on the
page and inspect.
ii. Go to the network tab. Reload the page.
iii. Click on any request in the header tab under the request header.
iv. We will see Status Code: 200 OK, 302 Found, 403 Forbidden, 404 not found, 500
internal server error
5. When was the HTML file that you are retrieving last modified at the server?

i. Open chrome and then open dev tool by right clicking the page and selecting
inspect.
ii. Go to the network tab
iii. Reload the page
iv. Click on the request for the HTML file.
v. In the header file we get response: Last-Modified: Tue, 21 Oct 2024 14:30:00 GMT

6. How many bytes of content are being returned to your browser?

i. Open chrome and then open dev tool by right clicking the page and selecting inspect.
ii. Go to the network tab
iii. Reload the page
iv. Click on the request for the HTML file.
v. In the header file we get response: Content-Length: 15552

7. By inspecting the raw data in the packet content window, do you see any headers
within the data that are not displayed in the packet-listing window? If so, name one
 The HTTP CONDITIONAL GET/response interaction

8. Inspect the contents of the first HTTP GET request from your browser to the server. Do
you see an “IF-MODIFIED-SINCE” line in the HTTP GET?

From this result we can conclude that

 Frame 5998 shows the HTTP GET request.

 The line shows: GET /en-US/livetile/preinstall?region=US&appid=C98EA5...&FORM=Threshold
HTTP/1.1
 "IF-MODIFIED-SINCE" is not visible in the portion of the request shown in the summary. If that
header were present, it would typically appear within the request headers section right after the
GET line and Host.
 9. Inspect the contents of the server response. Did the server explicitly return the
contents of the file? How can you tell?

Analyzing the response:

 HTTP/1.1 200 OK
 Hex and ASCII panels
 Key Takeaway

This kind of response shows us that the server explicitly returned the contents of the
requested file.
10. Now inspect the contents of the second HTTP GET request from your browser to the
server. Do you see an “IF-MODIFIED-SINCE:” line in the HTTP GET? If so, what
information follows the “IF-MODIFIED-SINCE:” header?
 Frame 5998: This is the second HTTP GET request from the list.
 Expand the “Hypertext Transfer Protocol” section in the bottom panel to see the complete set
of headers sent in this GET request.
 "IF-MODIFIED-SINCE" header is present, it will appear in that expanded HTTP header section
along with the date and time value following it. It typically looks like: IF-MODIFIED-SINCE: Wed,
20 Oct 2024 12:34:56 GMT
 11. What is the HTTP status code and phrase returned from the server in response to this
second HTTP GET? Did the server explicitly return the contents of the file? Explain.

Second response: GET /en-US/livetile/preinstall?region=US&appid=... HTTP/1.1

HTTP Response Status Code and Phrase:
 Status Code: 200
 Status Phrase: OK
Did the Server Explicitly Return the File?
Yes, the server successfully returned the file with the status code 200 OK.
 Retrieving Long Documents

12. How many HTTP GET request messages did your browser send? Which packet number
in the trace contains the GET message for the Bill or Rights?

The following GET requests are listed (example entries):

1. Packet 8195
2. Packet 8329
3. Packet 17094
4. Packet 17184
5. Packet 17187
The visible packets do not reference the Bill of Rights in the URL.
To find the specific packet containing that GET request:
 Use Wireshark's filter: Type http.request in the filter bar to show all HTTP requests.

------------------------------------------------------
 13. Which packet number in the trace contains the status code and phrase associated with
the response to the HTTP GET request?

Locate the HTTP GET Request:

 Packets like 8195, 8329, 17094, 17184, and 17187 are all HTTP GET requests.

Check for the Corresponding Response:

I. HTTP responses usually follow the corresponding request, and they contain status
codes like 200 OK or 404 Not Found in the Info column.
II. Packet 8195 (HTTP GET request) is followed by Packet 8199, which shows an
HTTP/1.1 200 OK response.
III. Packet number 8199 contains the status code and phrase ("200 OK") associated
with the response to a prior HTTP GET request.
Follow the HTTP stream: Right-click on a GET request > Follow > HTTP stream to view all
request-response pairs.

Use Wireshark filters: Apply http.response to list only the responses and match them to the
GET requests.

-----------------------------------------------------
 14.What is the status code and phrase in the response?

HTTP responses—associated with the GET request in Packet 8195—shows the following:

 Status Code: 200

 Phrase: OK

This is visible under the Info column, where the response is labeled "HTTP/1.1 200 OK".

-----------------------------------------------------
15.How many data-containing TCP segments were needed to carry the single
HTTP response and the text of the Bill of Rights?

 Multiple 206 Partial Content responses are visible, meaning the data may have been
split across several TCP segments.
 Each 206 Partial Content segment likely corresponds to a fragment of the response
body (such as the text of the "Bill of Rights"), which will require multiple TCP
segments.
 In Wireshark, TCP segments containing data will have a non-zero payload size.
These segments are marked with a length field greater than zero.
 Sum up the number of TCP segments used for the full response payload (not just
the headers but the actual content/text).
 Look for the corresponding HTTP response (filter with http.response if needed) that
matches the GET request.

---------------------------------------------
 HTML Documents with Embedded Objects

16.How many HTTP GET request messages did your browser send? To which
Internet addresses were these GET requests sent?

Number of HTTP GET Requests

There are five HTTP GET request messages:

 Packet 8195
 Packet 8329
 Packet 17094
 Packet 17184
 Packet 17187

Internet Addresses (Destination IPs) for GET Requests

104.91.68.10

 Packet 8195 and others target this address, which likely belongs to Microsoft’s content
delivery network (CDN) (as indicated by officecdn.microsoft.com in the HTTP header).
185.200.125.34

 Packets 17094, 17184, and 17187 are sent to this IP address.

------------------------------------------------

17.Can you tell whether your browser downloaded the two images serially,
or whether they were downloaded from the two web sites in parallel?
Explain.

 the current capture does not specifically show the downloading of images, as the listed
requests seem to be related to downloading CAB files (e.g., v64_16.0.14332.20791.cab),
which are typically used in software updates or installations, not images.

-----------------------------------------------------