Decoding Wireshark: How TCP/IP Layers Shape HTTP Traffic

Wireshark packet captures follow the classic TCP/IP four‑layer model, where the innermost layer carries business data and the outermost layers contain forwarding parameters.

Layer Mapping

Data Link Layer : Represented by the Ethernet II header, it handles physical transmission based on ARP/RARP.

Network Layer : The Internet Protocol header provides IP addresses for routing between networks.

Transport Layer : TCP or UDP headers carry source and destination ports. NAT often rewrites these ports, so the actual end‑to‑end path is determined by the IP + port pair.

Application Layer : Protocols such as HTTP, DNS, DHCP, and others encapsulate the actual business payload.

Analogy

The encapsulation process is similar to mailing a document: the envelope corresponds to the TCP layer (port numbers), the address on the envelope to the IP layer, and the courier’s handling to the data‑link layer.

HTTP Traffic Test

A test captured HTTP traffic from a device’s login page using both HttpWatch (basic version) and the browser’s F12 developer tools. The capture shows one POST request and several GET requests, with minor ordering differences.

HttpWatch’s basic edition provides only summary information, while the browser dev tools reveal full request and response details.

Request Details

The first POST request targets http://172.2.215.175/web/device/login?lang=1. The request line shows the POST method, and the headers disclose client information: language=Chinese, OS=Windows 7 (64‑bit), browser engine=Trident/7.0 (IE 11), and a Mozilla‑style User‑Agent string.

Client Information Usage

Servers use these headers to deliver appropriate content for different devices and operating systems, a practice common in modern web services.

Form Encoding

The payload uses application/x-www-form-urlencoded, the default encoding for HTML forms.

Binary Payload

Binary sections are displayed as ASCII characters, which can be interpreted with standard ASCII tables or tools like EditPlus.

Response Composition

The response header is followed by an HTML body. The body references additional resources (CSS, JavaScript, images) that the client subsequently requests, revealing the server’s directory structure and potentially exposing sensitive paths.

Additional Observations

Capturing Telnet traffic shows clear‑text data, whereas SSH encrypts the payload, making interception difficult.

CAPTCHA images often map to numeric values; understanding the generation algorithm could allow bypassing simple image‑based CAPTCHAs.

Beyond POST and GET, HTTP supports methods such as HEAD, PUT, DELETE, TRACE, and CONNECT, which may be explored in future analyses.

https://zhidao.baidu.com/question/1767408752449075980.html