In the previous post we looked at analyzing DNS. Let's now look at the HTTP protocol. Since in the post on DNS I elaborated on the fileds which makes up the header of the IPv6 protocol, I will refrain from doing so again.
Let's use our IPv4 TCP knowledge to analyze this IPv6 communication
Let's run tshark against our capture
root@securitynik:~/securitynik# tshark -r ipv6-http.pcap -n -c 3
1 0.000000 fd33:e581:65d4:0:a000:27ff:fe28:1d5 -> fd33:e581:65d4:0:a000:27ff:fe21:1a75 TCP 94 55594 > 80 [SYN] Seq=0 Win=28800 Len=0 MSS=1440 SACK_PERM=1 TSval=265480 TSecr=0 WS=128
2 0.001162 fd33:e581:65d4:0:a000:27ff:fe21:1a75 -> fd33:e581:65d4:0:a000:27ff:fe28:1d5 TCP 94 80 > 55594 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1440 WS=256 SACK_PERM=1 TSval=87067 TSecr=265480
3 0.001220 fd33:e581:65d4:0:a000:27ff:fe28:1d5 -> fd33:e581:65d4:0:a000:27ff:fe21:1a75 TCP 86 55594 > 80 [ACK] Seq=1 Ack=1 Win=28800 Len=0 TSval=265480 TSecr=87067
The 3 packets above represents the typical TCP 3-Way handshake. Nothing here is different from what we would have seen in our IPv4 TCP 3-way handshake
4 0.001807 fd33:e581:65d4:0:a000:27ff:fe28:1d5 -> fd33:e581:65d4:0:a000:27ff:fe21:1a75 HTTP 370 GET / HTTP/1.1
In packet 4 above we see the client at source "fd33:e581:65d4:0:a000:27ff:fe28:1d5" do a GET request for /
5 0.050772 fd33:e581:65d4:0:a000:27ff:fe21:1a75 -> fd33:e581:65d4:0:a000:27ff:fe28:1d5 TCP 86 80 > 55594 [ACK] Seq=1 Ack=285 Win=65536 Len=0 TSval=87072 TSecr=265480
Here we see the server at "fd33:e581:65d4:0:a000:27ff:fe21:1a75" responding with an ACK (Acknowledgement) to the request sent by the client.
8 0.565480 fd33:e581:65d4:0:a000:27ff:fe21:1a75 -> fd33:e581:65d4:0:a000:27ff:fe28:1d5 HTTP 281 HTTP/1.1 200 OK (text/html)
In packet 8, we see the server responds with a Status Code of 200
Ok, let's skip through some of the clutter and follow TCP stream 0
root@securitynik:~/securitynik# tshark -r ipv6-http.pcap -z "follow,tcp,ascii,0" | more
===================================================================
Follow: tcp,ascii
Filter: tcp.stream eq 0
Node 0: 253.51.229.129:55594
Node 1: 253.51.229.129:80
284
GET / HTTP/1.1
Host: websrv
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
1428
HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Thu, 05 Jun 2014 02:42:28 GMT
Accept-Ranges: bytes
ETag: "55a1baca6780cf1:0"
Server: Microsoft-IIS/8.0
Date: Fri, 06 Jun 2014 03:09:18 GMT
Content-Length: 1398
............. reduced for brevity .........
As can be seen above, the knowledge we have from analyzing HTTP on IPv4 can be easily transferred to IPv6
No comments:
Post a Comment