This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

HTTP “Get” messages are not visible in Wireshark

0

Hi,

I am working on Windows 7 Labtop connecting to my home WIFI network.

I am new to Wireshark, i have read all the basic tutorials and i understand the tool pretty well though.

After choosing my network interface and hitting the start button, i opened the browser and went to many websites and clicked on many links, i am getting packets related to HTTP (most of them are 200 OK), but not a single packet with "GET"/"POST" method. I tried this will practically all the browsers. (Mozilla, IE, Chrome)

I did try logging onto my gmail, submitting random forms on the internet just to check the "POST" message, i didnt get that either.

I am also getting lot of SSDP messages, which appear just before HTTP 200 OK messages.

Could anyone please let me know what i am missing, "GET" is something very basic, and that is the first thing i expect to see in wireshark.

Please help!!

Regards.

asked 16 Feb '12, 14:12

wired123's gravatar image

wired123
1111
accept rate: 0%

I am using the latest stable release of wireshark. 1.6.5.

(16 Feb '12, 15:24) wired123

Please provide the trace or a screenshot of some tcp session

(17 Feb '12, 01:51) Landi

Hi,

i have uploaded all the traces with screenshots in dropbox, plz check this link.

http://db.tt/IdutSfiO

Thanks.

(17 Feb '12, 12:33) wired123

4 Answers:

0

You're probably capturing from the wrong interface. The SSDP you see is also HTTP based, hence the 200 OK's. What you could do is filter on TCP, this should get rid of the interfering SSDP traffic in your capture.

answered 16 Feb '12, 23:56

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

0

If the sites you are visiting are using secure http, i.e. https, then you won't see the "POST/GET" as they'll be encrypted inside a TLS packet. Gmail, for instance, uses https.

answered 17 Feb '12, 01:51

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Yeah - but he is seeing the return code, so... ;)

(17 Feb '12, 04:07) Landi

0

Select one of the packets where you are seeing a "200 OK" and use the "Follow TCP Stream" option. That should show you the entire HTTP conversation. Your GETs and PUTs should be in there.

Realize that "GET" and "POST" are not necessarily going to be in individual packets and identified as such by wireshark. They are just text within the stream of text that HTTP is sending back and forth.

answered 17 Feb '12, 09:17

duncant's gravatar image

duncant
16113
accept rate: 0%

edited 17 Feb '12, 09:19

check the packets immediately preceeding the HTTP Response packet. Your GET request may fall across TCP PDU segments in which case its not being decoded as a GET. I recently just ran across this myself. Chances are you will see the GET text in the data decode.

If this is the cause then you can use the "preferences menu" to disable the "reassembly of http headers". You should then see your get. You can try this with your current capture to get if the GET appears.

(17 Feb '12, 10:03) wakelt

hi ,

i did an export of the whole trace in plain text and did a search on GET and POST, there is nothing there. Nothing remotely related to the GET HTTP messages.

Also i did disable the "reassembly of http headers" and restarted wireshark, still no luck.

(17 Feb '12, 13:42) wired123

0

Capturing Wireless traffic on Windows can be quite "iffy".

From: http://wiki.wireshark.org/CaptureSetup/WLAN

Quote(

Windows

Capturing WLAN traffic on Windows depends on WinPcap and on the underlying network adapters and drivers. Unfortunately, most drivers/adapters support neither monitor mode, nor seeing 802.11 headers when capturing, nor capturing non-data frames.

Promiscuous mode can be set; unfortunately, it's often crippled. In this mode many drivers don't supply packets at all, or don't supply packets sent by the host. )

Note: promiscuous mode is the default Wireshark capture mode: See the above Wireshark WLAN wiki page for more info.

I'm assuming that you have a "standard" network setup: e.g., no other network ports on your PC and I'm assuming that you are doing a "wide-open" capture (i.e., have no Wireshark filters set of any kind).

On the other hand:

While most of the packets sent/received by 192.168.1.67 (which I'm assuming is the IP address of the capturing Windows node) are exchanged with a specific MAC (ethernet) address [2wire_dd:46:01] there are 3 sent to a different MAC address [HonHaiPr_1f:32:3f] so maybe there's something more going on....

answered 17 Feb '12, 13:50

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

edited 17 Feb '12, 14:12

See also the comment by Guy Harris about using Microsoft Network Monitor in http://ask.wireshark.org/questions/9102/unable-to-capturing-packets-promiscuously

(18 Feb '12, 07:17) Bill Meier ♦♦