HTTP

Filter:

  • http
  • tcp.port==80
  • http.host=="www.abc.net"

or http.host contains "www.abc.net"

this only filter the destination host.

  • http.response.code==404
    200 means transfer is OK.
http Cache
Conditional GET:

A conditional GET is an HTTP GET request that may return an HTTP 304 response (instead of HTTP 200). An HTTP 304 response indicates that the resource has not been modified since the previous GET, and so the resource is not returned to the client in such a response, the server will ask the client to access the resource from local cache. See RFC 7232 for details.

Browsers maintain a cache and if the object is already cachedthe server supports conditional GET, and the resource has not changed since the previous GET (as indicated by HTTP 304), the client accesses the resource from cache.

If browsing a site for the first time, data isn’t in cache, server sends back:

  • cache control in seconds: how long the data is allowed to cache.
  • Last modified: when the data was modified.
  • Hash: check if the content has been changed.

There are at least two (not completely independent) approaches to conditional GET:

  1. Last-Modified / If-Modified-Since
  2. ETag / If-None-Match

In both cases, the value of a response header is used as the value of a subsequent request header.

Filter to show the response packet:

http.response.code==304

Some data may not be cache-able, to show these packet, use filter:

http.cache_control==no-cache

Export http file:

click file > Export Object > http , choose a file

Example:

Fist, start capture, open browser, open a web site, then refresh it( so the browser will read most of the content from cache).

Apply filter:

http_cache1

  • The response phrase: not modified, so the client will read resource from cache.
  • Server info: nginx
  • Last-modified: the data when the requested data was modified, some server does not provide this info, only tell you if it’s been modified.
  • Request in frame: means to which frame does this frame response, 630 is the request frame.

Then it’s better to analyze the request frame and see the content:

First, remove the filter expression and press enter:

http_cache2

  • find the frame 630,the → arrow means the request frame also note that the ← means the response frame.
  • expand Hypertext Transfer Protocol. The path after the GET is the requested resource.
  • If-Modified-Since: the client ask the server if the requested data has been modified since this point.
  • Cache-Control: max-age=0. max-age=0 simply tells caches (and user agents) the response is stale from the get-go and so they SHOULD revalidate the response (eg. with the If-Not-Modified header) before using a cached copy, whereas, no-cache tells them they MUST revalidate before using a cached copy. More check here: https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.1

 

FTP
Passive ftp
  • Problem with active is that firewalls may block the server connection
  • Both channels are initiated from the client side

 

Filter:

  • command: ftp
  • Data: ftp-data
  • ftp.response.code==230
  • ftp.request.command==”USER”

FTP response code: https://en.wikipedia.org/wiki/List_of_FTP_server_return_codes

Email
POP:

list, download and delete.

tcp.port==110

pop.response.indicator==”xxx”

password is unencrypted

SMTP:

tcp.port==25

Reference

https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html

https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html

 

related tools:

  • Network Miner
  • xplico