Wednesday, October 24, 2012

Using tshark to troubleshoot http

Here I give an example of how to use tshark, which is a command line tool and a part of the wireshark package, to monitor http requests and responses.

On Windows, first identify the numbering of the NIC adapters, using the '-D' option:

C:\Program Files\Wireshark>tshark.exe -D
1. \Device\NPF_GenericDialupAdapter (Adapter for generic dialup and VPN capture)
2. \Device\NPF_{2F15B435-C783-4863-90AC-C9DF8B64FBE1} (VMware Accelerated AMD PCNet Adapter)

Ok, lets now look at http traffic when loading the twitter home page:
C:\Program Files\Wireshark>tshark -i 2 "tcp port 80" -R "http.request or http.response"
Capturing on VMware Accelerated AMD PCNet Adapter
0.005726 -> HTTP 867 GET / HTTP/1.1
3.067846 -> HTTP 867 [TCP Retransmission] GET / HTTP/1.1
4.577303 -> HTTP 425 GET /a/1350941601/t1/css/t1_core_logged_out.bundle.css HTTP/1.1
4.578931 -> HTTP 414 GET /a/1350941601/t1/css/t1_more.bundle.css HTTP/1.1
4.605371 -> HTTP 279 HTTP/1.0 200 OK (text/html)
4.612847 -> HTTP 615 HTTP/1.0 200 OK (text/html)
4.620900 -> HTTP 593 HTTP/1.0 200 OK (text/html)
4.631572 -> HTTP 414 GET /a/1350941601/images/bigger_spinner.gif HTTP/1.1
4.631683 -> HTTP 426 GET /a/1350941601/t1/img/front_page/city-balcony@2x.jpg HTTP/1.1
4.634542 -> HTTP 432 GET /c/swift/init.ef644480fe2a53578f7ce4eda13396e86b6fa74a.js HTTP/1.1
4.679344 -> HTTP 60 HTTP/1.0 200 OK (GIF89a)
4.679459 -> HTTP 60 HTTP/1.0 200 OK (GIF89a)
4.683034 -> HTTP 629 HTTP/1.0 200 OK (text/html)
4.702673 -> HTTP 529 GET /opensearch.xml HTTP/1.1
4.705784 -> HTTP 417 HTTP/1.0 304 Not Modified
15 packets captured

You can see above, that this clearly shows the URLs to the html, image and css files that are downloaded from the server, and the associated http response codes.

Note the use of the tshark '-R' option to specify a "display" filter, to filter out everything, but the http requests and responses, so that we can concentrate on whats happening at the http level, without things like the tcp acks causing distraction. And you may want to expand the capture filter to just specify a particular host.

No comments: