Ask Your Question
0

http request and response clarification!

asked 2017-11-01 14:34:14 +0000

harpreet gravatar image

updated 2017-11-01 14:57:52 +0000

Jaap gravatar image

link for tcpdump file 203_tcpdump.pcap

203_tcpdump.pcap is captued on server 10.5.207.203. It is receiving traffic from 10.5.129.207. 203 stands for 10.5.207.203 207 stands for 10.5.129.207

Below is the http packet request/response count and error description.

packet count 15 - from 207 to 203. - http.response.code == 500 - internal server error - The [action] cannot be processed at the receiver. - http/xml

packet count 30 - from 207 to 203 - http.response.code == 404 - Error 404: SRVE0190E: File not found: /services/ResponseHandlerPort/mex - pure http

packet count 14 - from 207 to 203 - http.response.code == 400 - The [action] cannot be processed at the receiver. - http/xml

packet count 15 - from 207 to 203 - http.response.code == 302 - 302 Found - pure http

packet count 15 - from 207 to 203 - http.response.code == 202 - 202 Accepted - pure http

http.response.code == 200 - success. - from 207 to 203 and from 203 to 207 - pure http and http/xml both.

http.request.method == POST - packet count 82 - from 207 to 203 and 203 to 207 - all http/xml

http.request.method == GET - packet count 45 - from 203 to 207 - all HTTP

HTTP Response packets.

redirection - 302 success - 202 and 200
server error - 500 client error - 404 and 400

HTTP Request packets.

GET and POST

I want to know the below points:-

  1. Are the http response codes other than 200 and 202 are normal or i need to send these errors to the client i.e. 207 server to stop sending such http requests to my server 203? wht exactly is the meaning of each of them?

  2. What is exactly POST and GET? i see GET is purely HTTP and POST is http/xml. can GET also be http/xml and POST can be pure http?

  3. why i dont see any GET from 207 to 203?

  4. what is exacty http response code 202. how is it different from http response code 200.

  5. If i want to check all the tcp, http and other protocols packets for a particular transaction i.e. request for particular mobile number. will the stream be same for all such packets or it will different. follow tcp stream is the option to check all tcp syn to fin, http and other protocols packets for a particular transaction or there is some other option. That is I will search in filter like this "http contains XXXXX" this will give the packet containing XXX. then i will do follow tcp stream on this packet to see all packts related to that. XXXXX is the mobile number i.e. msisdn.

  6. How to avoid this error "X bytes missing in capture" while capturing tcpdump. So that entire packets are displayed from source to destination and vice-versa when doing follow http stream. This is present in file TCPDUMP199.pcap present at same link as above.

edit retag flag offensive close merge delete

Comments

Can you present us a password free link?

Christian_R gravatar imageChristian_R ( 2017-11-01 15:24:25 +0000 )edit

Christian:-- Try this link URL: https://www.cloudshark.org/captures/9...

harpreet gravatar imageharpreet ( 2017-11-01 16:11:30 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2017-11-01 15:05:50 +0000

Jaap gravatar image

updated 2017-11-01 15:08:40 +0000

Let's see

  1. That is up to the particular application. See the RFC
  2. These are the basic HTTP methods. See the RFC
  3. Servers usually don't use GET mehod
  4. See item 1
  5. ?
  6. Look for the -s option to set the snap length. See the manual page
edit flag offensive delete link more

Comments

For point 3; 207 is actually the client which send http request to 203. Also here who is client and who is server is quiet confusing. There are 82 POST and 45 GET. POST is initiated from both 203 and 207. whereas post is a request method. Is it that a machine which is client at one time can also act as server at other point of time?

harpreet gravatar imageharpreet ( 2017-11-01 15:33:59 +0000 )edit

Regarding 5. - yes, an HTTP conversation (request/response) normally takes place in a single TCP session, so your steps (find a single HTTP packet with the MSISDN using filter, then use "follow tcp stream" for this packet) will show you all the packets related to the transaction (provided it has been completely captured).

However, you may have several HTTP conversations in the same TCP session (as reuse of TCP sessions saves resources), and, on the other hand, several HTTP conversations forming up a transaction at application level may be split into different TCP sessions. So once you find one HTTP conversation, it may be necessary to find in it some transaction ID of the application which uses HTTP as transport and look for it using your "http contains XXX" filter again. If you find it in several packets, check the tcp.stream value of all of them

sindy gravatar imagesindy ( 2017-11-01 15:37:36 +0000 )edit

to the last question of your previous comment - yes, this is possible if the two machines are peers in terms that any of them can generate its own requests towards the other one, unrelated to previous requests in the opposite direction. So you won't find such behaviour between a web browser and a web server, but you can find it where HTTP is used for information exchange between automated systems, which I guess is your case.

sindy gravatar imagesindy ( 2017-11-01 15:41:56 +0000 )edit

Sindy can you please put light on 1-4 as well! Also is there a way where i can check that my machines are peers and not client-server. Ofcourse there are two networking:- peer to peer client-server. But how to check that in a linux machine.

harpreet gravatar imageharpreet ( 2017-11-01 16:15:39 +0000 )edit

Not really. The meaning of HTTP response codes is quite concise in the RFC @Jaap has pointed you to so no point in copy-pasting that part of RFC here. Why one of your machines uses both POST and GET and the other one only uses POST is a choice of the respective application developers so no one else can explain that choice.

In the context of your other question (load balancer between clients and servers), you must send a response to every HTTP request you receive from a client; this means either to forward the original response you've received from the server, leaving the choice what to do next with the client, or, in some cases, to send the original request to another server and return its response to the client if that response is "better" than the one from the first server. E.g. if you receive a ...(more)

sindy gravatar imagesindy ( 2017-11-01 17:34:35 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

3 followers

subscribe to rss feed

Stats

Asked: 2017-11-01 14:34:14 +0000

Seen: 10,317 times

Last updated: Nov 01 '17

Related questions

Why there is port mismatch in tcp and http header for port 51006. Also why the netstat in server do not shows connections under port 51006 even traffic is coming to this port.

How to plot HTTP requests/sec graph?

why protocol is not showing as HTTP even though we sent http request ?

How can I get https to show in Wireshark?

Cause Of Server Hello Delay

Development of OSCORE dissector

How to view packets sent out of ip

No HTTP protocols in scan results

long time to connect http device

why wireshark is not showing http or https packets in the view?