This is our old Q&A Site. Please post any new questions and answers at

Hi everyone. I am kind of noob to wireshark so please bear with me for stupidity or obvious things. I am examining a network flow in WireShark which causes a drive by download. In some http (GET request) packets, the "Referer" field is not present. What does this mean? I mean how is the user getting to these pages? Is he/she entering it manually?


The URLs full request are of a PNG images. So, I don't think that entering these URLs manually would have happened.

asked 08 Sep '13, 15:04

TheRookieLearner's gravatar image

accept rate: 0%

edited 08 Sep '13, 15:10

If the referrer header is not present, the URL could either have been entered manually or some script was doing the request which did not adde the referrer header. Is the User-Agent header the same for all requests?

permanent link

answered 08 Sep '13, 15:37

SYN-bit's gravatar image

SYN-bit ♦♦
accept rate: 20%

Ya, its the same (which is Mozilla/4.0). Does this mean a script is making those requests? How do I verify that?

(08 Sep '13, 15:50) TheRookieLea...
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 08 Sep '13, 15:04

question was seen: 4,061 times

last updated: 08 Sep '13, 15:51

p​o​w​e​r​e​d by O​S​Q​A