HTTP ANALYSIS

-Review the first capture file and determine what is happening with the HTTP traffic.

a. Describe the traffic: what packets are involved and what is happening? (include source, destination, time of capture)

b. Review the second capture file and determine what is happening with the HTTP traffic in this capture.

How is the traffic different from the first capture?

Describe the traffic: what packets are involved and what is happening? (include source, destination, time of capture)

Note: I

Capture 1 (Part a.)

Note:

I also noticed TCP spurious retransmission and TCP Dup Ack when I did not apply the HTTP filter like the above capture. I'm not sure exactly what this means. Were packets lost, resent? (please see other part of capture 1 below) Your explanation is greatly appreciated.

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Capture 2 (Part b. with the HTTP filter applied)

Capture 2 (without the HTTP filter applied)

http Packet ist Narrow & ide Case sensitive Display filter Delta Time Protocol Length CumByte Info HTTP HTTP HTTP HTTP/X 478 2000 HTTP/1.1 200 OK No. 4. 18 27 38 0.000000 0.911310 2.072981 2.984291 0.971397 3.955688 0.891281 4.846969 145.254.160.237 145.254.160.237 216.239.59.99 65.208.228.223 65.208.228.223 216.239.59.99 145.254.160.237 145.254.160.237 533 775 214 533 GET /download.html HTTP/1.1 1308 GET/pagead/ads?client-ca-pub-2309191948673629&random-108444343028581 1522 HTTP/1.1 280 OK (text/html) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp:http:data-text-lines] [Coloring Rule Name: HTTP] [Coloring Rule String: http tcp.port88 11 http2] Ethernet II, Src: fe:ff:20:00:01:80 (fe:ff:20:00:01:00), Dst: Xerox_00:00:00 (00:00:01:00:00:00) Internet Protocol Version 4, Src: 216.239.59.99, Dst: 145.254.160.237 4 Transmission Control Protocol, Src Port: 80, Dst Port: 3371, Seq: 1431, Ack: 722, Len: 168 Source Port: 80 Destination Port: 3371 [Stream index: 1] [TCP Segment Len: 168] Sequence number: 1431 (relative sequence number) Next sequence number: 159 rlative sequence number)] Acknowledgment number: 722 relative ack number) 0101 - Header Length: 20 bytes (5) p Flags: 8x018 (PSH, ACK) Window size value: 31460 [Calculated window size: 31468] [Window size scaling factor: -1 (unknown)] Checksum : 0xde29 unverified [Checksum Status: Unverified] Urgent pointer: D [SEQ/ACK analysis] [Timestamps] TCP payload (160 bytes) TCP segment data (160 bytes) t> TCP Segments Hypertext Transfer Protocol [2 Reassembled (1598 bytes): #26(1430), #27(168)] DHTTP/1.1 200 OK r n P3P: policyref-"http://www.googleadservices.com/pagead/p3p.xml-, CP-"NOI DEV PSA PSD IVA PVD OTP OUR OTR IND OTC" Content-Type: text/html; charset-ISO-8859-1 rln Content-Encoding: gzip In Server: CAFE/1.e rln Cache-control: private, x-gzip-ok-ln b Content-length: 1272rln Date: Thu, 13 May 2004 10:17:14 GMTrin [HTTP response 1/1] Time since request: 0.971397000 seconds] Content-encoded entity body (gzip): 1272 bytes -> 3688 bytes File Data: 3608 bytes b Line-based text data: text/html (3 lines) http Packet ist Narrow & ide Case sensitive Display filter Delta Time Protocol Length CumByte Info HTTP HTTP HTTP HTTP/X 478 2000 HTTP/1.1 200 OK No. 4. 18 27 38 0.000000 0.911310 2.072981 2.984291 0.971397 3.955688 0.891281 4.846969 145.254.160.237 145.254.160.237 216.239.59.99 65.208.228.223 65.208.228.223 216.239.59.99 145.254.160.237 145.254.160.237 533 775 214 533 GET /download.html HTTP/1.1 1308 GET/pagead/ads?client-ca-pub-2309191948673629&random-108444343028581 1522 HTTP/1.1 280 OK (text/html) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp:http:data-text-lines] [Coloring Rule Name: HTTP] [Coloring Rule String: http tcp.port88 11 http2] Ethernet II, Src: fe:ff:20:00:01:80 (fe:ff:20:00:01:00), Dst: Xerox_00:00:00 (00:00:01:00:00:00) Internet Protocol Version 4, Src: 216.239.59.99, Dst: 145.254.160.237 4 Transmission Control Protocol, Src Port: 80, Dst Port: 3371, Seq: 1431, Ack: 722, Len: 168 Source Port: 80 Destination Port: 3371 [Stream index: 1] [TCP Segment Len: 168] Sequence number: 1431 (relative sequence number) Next sequence number: 159 rlative sequence number)] Acknowledgment number: 722 relative ack number) 0101 - Header Length: 20 bytes (5) p Flags: 8x018 (PSH, ACK) Window size value: 31460 [Calculated window size: 31468] [Window size scaling factor: -1 (unknown)] Checksum : 0xde29 unverified [Checksum Status: Unverified] Urgent pointer: D [SEQ/ACK analysis] [Timestamps] TCP payload (160 bytes) TCP segment data (160 bytes) t> TCP Segments Hypertext Transfer Protocol [2 Reassembled (1598 bytes): #26(1430), #27(168)] DHTTP/1.1 200 OK r n P3P: policyref-"http://www.googleadservices.com/pagead/p3p.xml-, CP-"NOI DEV PSA PSD IVA PVD OTP OUR OTR IND OTC" Content-Type: text/html; charset-ISO-8859-1 rln Content-Encoding: gzip In Server: CAFE/1.e rln Cache-control: private, x-gzip-ok-ln b Content-length: 1272rln Date: Thu, 13 May 2004 10:17:14 GMTrin [HTTP response 1/1] Time since request: 0.971397000 seconds] Content-encoded entity body (gzip): 1272 bytes -> 3688 bytes File Data: 3608 bytes b Line-based text data: text/html (3 lines)