[Go] Use Wireshark to detect an HTTP connection process

Wireshark is a similar tcpdump sniffer software, the interface is more user-friendly, today I use it to detect an HTTP connection process.

After installation, first configure, select Capture->options, first set the network interface you want to sniff,

Then enter TCP port HTTP in capture filter, which indicates only TCP requests that are listening on port 80.

Set these up and you can click Start to start testing.

Open a browser and browse through a webpage and you'll get a result similar to the following:


I'm looking at Google's page. Here 211.100.209.50 is the browser, 66.249.89.147 is the server.

Here is a detailed explanation of the HTTP connection process:

--------------------------------------------------------------

The server responds to the browser's request and asks for confirmation.
The browser responded to the server's confirmation and the connection was successful.
The browser issues a page HTTP request.
Server acknowledgement.
The server sends the data.
Client acknowledgement.
The server responds with a 200 status that indicates success.
The client sends a picture HTTP request.
The server responds with a 304HTTP header, telling the browser not to disturb it, directly with the cache.
The client also issues a picture HTTP request.
The server still responds with a 304HTTP header.
Browser confirmation.
The server is ready to close the connection and ask for confirmation.
Browser confirmation.
The browser is ready to close the connection and ask for confirmation.
Server acknowledgement.


It contains the process that we often call the TCP three-time handshake.

When the server responds to a browser request and asks for confirmation,
If the browser does not have a normal confirmation, the server will wait in the SYN_RECV state until it expires.
If a malicious program forges a large number of similar requests, it is often called SYN flood attacks.

[Go] Use Wireshark to detect an HTTP connection process