Deep Dive into HTTP: From Packet Capture to Protocol Mechanics

HTTP Protocol Analysis

This article demonstrates how to capture and dissect HTTP traffic using Wireshark on a Mac and tcpdump on a remote Docker container, then explains the full request‑response cycle at the packet level.

Background

A geospatial service provides a Fence2Area API that receives a list of points and a coordinate system type, returning the polygon area.

Packet Capture Setup

On the local Mac, set Wireshark filter ip.addr eq docker_ip and start capture. On the remote Docker host, run tcpdump -w /tmp/testHttp.cap port 7080 -s0 to record packets.

Request and Response Packets

The captured traffic consists of seven packets: three-way TCP handshake, HTTP request, server ACK, HTTP response, and final ACKs. The fourth packet contains the full HTTP GET request:

GET /data?cmd=Fence2Area&meta={%22caller%22:%22test%22,%22TraceId%22:%22test%22}&request={%22fence%22:[{%22lng%22:10.2,%22lat%22:10.2},{%22lng%22:10.2,%22lat%22:8.2},{%22lng%22:8.2,%22lat%22:8.2},{%22lng%22:8.2,%22lat%22:10.2}],%22coordtype%22:2} HTTP/1.1
Host: 10.96.212.96:7080
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.2 Safari/605.1.15
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
Connection: keep-alive

The sixth packet carries the HTTP response:

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Date: Thu, 03 Jan 2019 12:23:47 GMT
Content-Length: 48
Content-Type: text/plain; charset=utf-8

{"data":{"area":48764135597.842606},"errstr":""}

Encoding and URL Encoding

Characters not safe for URLs are percent‑encoded (e.g., %22 for double quotes). The request URL shown above is fully percent‑encoded.

MIME Types

The response includes Content-Type: text/plain; charset=utf-8, indicating plain‑text body encoded in UTF‑8.

URI, URL, and URN

URI is the generic identifier; URL specifies location (scheme, host, path), while URN provides a persistent name.

HTTP Methods

Common methods include GET, HEAD, POST, PUT, DELETE. HEAD returns only headers; POST submits data; PUT stores data at a specific resource.

Status Codes

Typical codes: 200 OK (success), 404 Not Found (resource missing), 500 Internal Server Error (server failure). The first digit classifies the response.

Message Format

Both request and response consist of a start line, headers, a blank line, and an optional body. Lines end with \r\n.

Advanced Topics

Proxy

Proxies can monitor, modify, cache, or anonymize traffic. Each hop adds a Via header.

Caching

Clients use If-Modified-Since and servers may reply 304 Not Modified. Cache headers like Expires, Cache-Control, and Age control freshness.

Cookies

Servers set cookies via Set-Cookie; browsers return them with Cookie. Cookies can be session‑only or persistent.

Redirection and Load Balancing

HTTP 302 redirects guide clients to another URL; DNS can also perform load‑balancing via round‑robin or geographic routing.

Connection Management

HTTP/1.1 uses persistent connections (keep‑alive) by default, reducing TCP handshake overhead. TCP keep‑alive probes detect dead connections. Pipelining allows multiple requests on a single connection, but only for idempotent methods.

Internationalization

Clients advertise supported languages ( Accept-Language) and character sets ( Accept-Charset). Servers specify the charset in Content-Type.

Summary

The article covers end‑to‑end HTTP communication, from raw packet capture to high‑level protocol features, providing a solid foundation for developers working with web services.