Working with Wireshark
As shown in the preceding screenshot, the Wireshark capture screen is broken
into three sections. The top section lists the captured packets, one packet per
row, and provides basic information for each packet, such as the source and
destination addresses, and the name of the highest layer protocol for which the
packet contains data.
The middle section contains a breakdown of the protocols present in the selected
packet. The top line is equivalent to layer 1 in the network stack, with subsequent
lines corresponding to the higher layers.
The bottom section contains a raw listing of the entire captured packet. This is
broken into three main vertical areas. The numbers in the first column on the left-
hand side are the byte offsets in hex of the start of the line from the beginning of
the packet. The middle section consists of two columns of 8 hexadecimal numbers
each; this section shows each byte in the packet as a hexadecimal integer. The section
on the right-hand side, consisting of two columns of ASCII characters, is the ASCII
representation of the bytes in the packet. Dots are used here, where a byte value
maps to a nonprintable character.
Filtering
Let's see if we can find the packets that our downloader program has generated.
There's probably a fair amount of extra network data in the capture, so first,
we need to filter this out.
Wireshark lets us filter using any property of any of the protocols it supports. To
filter, we use the filter box that is under the toolbar. Wireshark has a complete filter
language, which you can investigate with the help system. For now, we're just going
to do a few basic queries to find our packets. Type http in the filter box, and click on
the Apply button. This restricts the displayed packets to just those that involve the
HTTP protocol, as shown in the following screenshot: