This is our old Q&A Site. Please post any new questions and answers at

Hi, I have a problem with Wireshark. The idea is that when listening on HTTP packets they show an error of 304 and 404 and i can't read the address of the page. I use it on the Back Track 5 R3. Before running the Wiresharka I use the command "echo 1/proc/sys/net/ipv4/ip_forward > and" arpspoof-i eth0-t "in order to be able to listen. Gets them, but flawed with errors. PS: Sorry for my English.

I see it:

alt text

asked 25 Aug '13, 07:04

Marcinxxl2's gravatar image

accept rate: 0%

edited 25 Aug '13, 07:56

The idea is that when listening on HTTP packets they show an error of 304 and 404

304 typically means that the system fetching the page has a cached copy and is asking 1) whether the page has been modified since a certain time (the time when the cached copy was fetched) and 2) for a copy of the page if it has been modified since then. 404, of course, means that the page in question doesn't exist.

and i can't read the address of the page

By "the address of the page" I assume you mean the URL of the page; you'll see that in the HTTP request, not the reply. Are you not capturing the requests? Or are they not being sent from, so that they're not showing up with your display filter?

(25 Aug '13, 10:05) Guy Harris ♦♦

And intercepts the request and they are sent from this address. I do not know why all the HTTP packets give error 304 or 404. When I run Wireshark on listening computer does not show on these errors, and the URL of the page.

(25 Aug '13, 11:31) Marcinxxl2

arpspoof -i eth0 -t

To quote the arpspoof man page:


arpspoof [-i interface] [-t target] host


arpspoof redirects packets from a target host (or all hosts) on the LAN intended for another host on the LAN by forging ARP replies. This is an extremely effective way of sniffing traffic on a switch.



-i interface

Specify the interface to use.

-t target

Specify a particular host to ARP poison (if not specified, all hosts on the LAN).


Specify the host you wish to intercept packets for (usually the local gateway).

so that command is ARP-spoofing so that traffic to is redirected through, but it doesn't affect traffic from, so you will only see the HTTP replies to, not HTTP requests from, so you won't see the requests, and therefore will not see the URLs.

As I said in my comment, the HTTP packets that get a 304 do so because the HTTP request said "send me the page only if it's been modified after this time" and it hasn't been modified since that time, and the HTTP packets that get a 404 do so because the HTTP request said "send me the page with this URL" and there IS no page with that URL; that's how HTTP works.

permanent link

answered 25 Aug '13, 11:56

Guy%20Harris's gravatar image

Guy Harris ♦♦
accept rate: 19%

edited 25 Aug '13, 11:58

Actually, sorry, my mistake. You know how to do that was in two pages?

(25 Aug '13, 12:14) Marcinxxl2

You know how to do that was in two pages?

I'm not sure I understand what you're asking here.

(25 Aug '13, 12:50) Guy Harris ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 25 Aug '13, 07:04

question was seen: 6,047 times

last updated: 25 Aug '13, 12:50

p​o​w​e​r​e​d by O​S​Q​A