HTTP

Prompt

HTTP is how we're sending you this message, analyze the provided capture to answer the following questions about a HTTP download.

You can read this guide to learn more about computer networking.

HTTP.pcap24.9KB

Walk-Through

Use Wireshark or the web-based CloudShark tool to solve the challenge. HTTP, or Hypertext Transfer Protocol, is used to deliver and present the information you see on a webpage. All of the questions and answers are specific to the HTTP, so it is suggested that you learn more about HTTP:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP

Guide

To find what Linux tool was used to execute a file download, apply the http.request filter at the top of Cloudshark and look at the Hypertext Transfer Protocol (HTTP) section of the packet dissector. The filter restricts the results to packets that contain the request that the client sent to the server.

💻

The “User-Agent” field in the HTTP portion of the packet is used to identify the software making the HTTP request.

This is the output of adding a
This is the output of adding ahttp.request filter. The answer has been redacted

Questions 2 - 4 can be solved by applying the http.response filter and looking at the HTTP packet dissection. This filter restricts the results to packets that the server responded with.

💻

The “Server” field in the HTTP portion of the packet is used to identify the software of the server responding to the HTTP request.

This is the output of adding a
This is the output of adding ahttp.response filter. The answers have been redacted.
📨

Refer to the “Internet Protocol Version 4” (IPv4) portion of the packet, to see the “src” (Source) and “dst” (Destination) for the packet. These fields are similar to addresses on a mail envelope. The source is the sender and the destination is the recipient.

Recall that this is a http.response packet, which means we are currently looking at a packet that the server (source) is sending in response to the client (destination). This means that the source is the IP address of the server (answer to question 4) and the destination is the IP address that initiated the request (answer to question 3). If you go back to the packet from question 1, you will notice that the Source and Destination are flipped - this is because the packet was traveling from the client to the server.

For Question 5, we need more information about what file was sent in this exchange to know what the client was downloading. Using Cloudshark, filter using http and inspect packet 36— the packet that has “(PNG)” in the info section of the Cloudshark.

It looks like there is a PNG file (image file) in this packet.
It looks like there is a PNG file (image file) in this packet.

In order to determine the MD5 sum of this file, the data to create this image file will need to be taken from the frame. To do this, highlight the Hex data (see image below) starting at the PNG Signature (89 50 4E 47 0D 0A 1A) and end at the very bottom of the frame (49 45 4E 44 AE 42 60 82). You can click on “PNG Signature” at the left to automatically highlight where to start. Once this data is highlighted, right click and wait until the copy option appears.

Be patient. It may take a moment for the data to copy.
Be patient. It may take a moment for the data to copy.

Open CyberChef. Paste the Hex data you copied into the Input portion. Check that the bytes at the beginning and the end match the Cloudshark data.

The beginning of the Hex data is shown in this screenshot
The beginning of the Hex data is shown in this screenshot

Right now, CyberChef is not interpreting the content pasted as Hex data. To ensure it does this, type “From Hex” in the Operations box and add it to the Recipe.

image

Select the magic wand icon next to “Output”. An image should render.

The image appears after pressing the magic wand or by adding “Render Image” to the Recipe section.
The image appears after pressing the magic wand or by adding “Render Image” to the Recipe section.

Now let’s calculate the MD5 sum of the file. Type “MD5” into the operations section and move it to the recipe.

The MD5 sum output has been partially redacted.
The MD5 sum output has been partially redacted.

Question 5 can also be solved in Wireshark by selecting the option, “File > Export Objects > HTTP”. This exports the files transferred via HTTP from the packet capture to a local copy on your computer. Then use the Linux “md5sum” program to calculate the MD5 sum.

image

Other Resources to Learn about HTTP:

  • https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP
  • Watch all of our Tutorial Video below for more info!

Tutorial Video

Cyber Skyline Live: Analyzing HTTP Traffic with Wireshark - Feb 16, 2023

One of the most common uses of HTTP is file transfers. Every time you load a page in your browser, HTTP requests are being made to fetch all the assets on the page - from images to fonts. Learn how to follow and analyze packets from a HTTP file transfer. You’ll learn how to identify the devices involved, establish a timeline of events, and even extract a file that was transferred. Reach out with questions at contact@cyberskyline.com. Cyber Skyline is the organizer of the National Cyber League, a bi-annual, all-virtual cybersecurity student competition, advancing hands-on skills and knowledge. Check the website at nationalcyberleague.org for details on NCL.

www.youtube.com

Cyber Skyline Live: Analyzing HTTP Traffic with Wireshark - Feb 16, 2023

Questions

1. What Linux tool was used to execute a file download?

2. What is the name of the web server software that handled the request?

3. What IP address initiated the request?

4. What is the IP address of the server?

5. What is the MD5 sum of the file downloaded?

©️ 2025 Cyber Skyline. All Rights Reserved. Unauthorized reproduction or distribution of this copyrighted work is illegal.