This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Just TCP but no HTTP packet

0

Hi,

Before I grad and start my career as a APM/NPM consultant, those are the good times when I play wireshark tutorial. And TCP is always accompanied by HTTP.

Today, I do a tcpdump and realized that there is always TCP two-way communication between a specific source-destination pair, but they are not HTTP packets between them. (i.e I type 'tcp' in display filter, returned the filter result; I type in 'http', returned nothing).

SO, WHAT COULD THIS POSSIBLY MEANS?

FYI, in case you wonder: No, no HTTPS/SSL/TLS here. We are talking about unencrypted traffic here.

Appreciate if any of the experts can share your thought on what could be the possbile scenario happening, the application shouldn't has any probelm as its already been deployed to production environment for a long time with large number of users.

Best Regards, Wai KEat

asked 03 Jul '17, 09:39

waikeatahlok's gravatar image

waikeatahlok
11335
accept rate: 0%


One Answer:

2

Sorry, but TCP is not always accompanied by HTTP. While HTTP is very often seen on the internet, that picture can be very different in business networks. There are lots of other protocols running on top of TCP, e.g. FTP, SMTP, POP3, IMAP, database connections, application protocols, etc.

I think that you should spend some more time on learning the basics of modern computer networks, because otherwise you may run into trouble (you said you want to consult on APM/NPM, which I guess means application/network performance monitoring). It seems to me that there are still big gaps in the foundation of your knowledge about how networks and applications work.

answered 03 Jul '17, 09:51

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Hi Jasper,

Thanks for the quick response, I did manage to find this post (https://stackoverflow.com/questions/19852858/why-wireshark-display-filter-does-not-show-http-packets) shortly after I posted the question.

Also, my client told me that application is using HTTP, and hence I do a tcpdump and have a look. I do understand that there can be many application layer protocol running on top of TCP. (Sorry for my bad English when typing the question)

Lastly, after reading that post on stackoverflow, I still don't understand my pcap file. That is because all the packets I see after applied 'tcp' filter, I can only 4 layer of data, which are frame, ethernet, IP and TCP. The last layer of data (i.e the app layer data in 5-layer-TCP/IP stack) is missing. I can only see 4 layers of data in packet content.

(03 Jul '17, 10:02) waikeatahlok

Okay, so let's assume your pcap file contains HTTP, but Wireshark doesn't decoded it. Check that the TCP port you're seeing is in fact the one you should see HTTP on. Maybe it's a non-standard port, in which case you can either add that port to the list of ports in the preferences for the HTTP dissector, or use "Decode As" from the popup menu in the packet list to force Wireshark to decode that port as HTTP.

(03 Jul '17, 10:11) Jasper ♦♦
1

If you are serious about doing the capture using tcpdump, I'm almost sure you haven't asked it to capture complete packets, which explains why you cannot see anything above the TCP layer. The magic parameter to add to tcpdump's command line is -s 0. Without it, tcpdump only saves first 60 bytes of each captured frame. Which, BTW, could be also an answer to your other question.

(03 Jul '17, 12:32) sindy