Unveiling HTTP Traffic: How Wireshark and Browser DevTools Reveal Packet Layers

Through earlier packet captures we can see that Wireshark’s packet structure mirrors the TCP/IP four‑layer model, with the innermost layer carrying business data and the outermost layer containing forwarding parameters.

The outermost Ethernet II frame corresponds to the data‑link layer, the Internet Protocol (IP) header to the network layer, the Transmission Control Protocol (TCP) or UDP header to the transport layer, and protocols such as HTTP, DNS, or Telnet to the application layer.

An analogy likens this process to mailing a contract: the envelope is the encapsulation, the sender and receiver addresses map to IP addresses, the port numbers act like the recipient’s name, and the courier’s routing mirrors data‑link forwarding.

Unlike Telnet, which transmits data in clear text (like an open envelope), SSH encrypts the payload, requiring matching keys to open the “sealed” packet.

To demonstrate, the author captured HTTP traffic using Wireshark, HttpWatch (basic version), and the browser’s F12 developer tools. Screenshots show that both Wireshark and HttpWatch record the same POST and GET actions, though the order may differ. The basic HttpWatch version provides limited details, while the F12 console displays richer information.

In the network layer the captured packets reveal source and destination IP addresses; the transport layer shows destination port 80, the standard HTTP port. The first POST request targets http://172.2.215.175/web/device/login?lang=1. The request includes headers indicating language=Chinese, OS=Windows 7 64‑bit, and User‑Agent=Trident/7.0 (IE 11). These headers allow the server to tailor the response to the client’s environment.

The server’s response contains an HTML page, which the client parses to request additional resources such as CSS, JavaScript, and images. Eight subsequent resource requests are observed, exposing potential storage paths that could be enumerated if permissions allow.

The login page also includes a numeric captcha value; the author notes that each captcha image maps to a number, suggesting that reverse‑engineering the generation algorithm could bypass the verification.

Beyond the common POST and GET methods, HTTP also defines HEAD, PUT, DELETE, TRACE, CONNECT, and others, which can be examined as needed.