Packet Analysis

HTTP Analysis

3 min read

CloudShark includes a powerful HTTP analysis tool which can be accessed from the decoder window by pressing the Analysis Tools button and then HTTP Requests. This feature is one of several analysis tools available in CloudShark.

HTTP connections typically use the standard port (80). Using CloudShark’s Decode As profile setting in conjunction with the HTTP Requests tool allows users to analyze HTTP traffic running on non-standard ports.

Requests by Host

The Requests by Hosts view provides an expandable list of all HTTP requests, sorted by host. The percentage of the total number of requests, per host, is displayed on the right side. Expanding a particular host displays all of the individual requests made for that host. The percentage of the total number of requests for that host is displayed for each individual request.

Clicking on any single request will open a summary dialog containing response time information for the transaction, and direct links back to the source TCP stream, the packet containing the HTTP request, and the packet containing the HTTP response. If the response included a file it will also contain a link to preview the object directly in your browser.

CloudShark calculates the response time as the time delta between when the fully assembled HTTP request is sent and the fully assembled HTTP response is received.

Host Summary

The Host Summary view provides a larger summary view of the number of requests made by each host during the capture. This view is a full page version of the pop-up displayed when a user clicks on the HTTP Requests analysis tool. Like the initial HTTP Requests pop-up, clicking on the bar for a host will load a decode session and display only the packets associated with that host.

Response Codes

The Response Codes view displays the total number of HTTP requests, by method, and responses, by HTTP response code as interactive pie charts. Clicking on individual pieces within the charts will open a decode session and display all packets containing the selected HTTP request method or response code.

HTTP Objects

The HTTP Objects analysis tool can be used to extract and preview or save the original files transferred via HTTP and captured within the tracefile. These could be images, scripts, audio files, applications, really anything.

Access to the HTTP Object Analysis tool is found by clicking the button on the HTTP Analysis popup dialog box.

From within this tool, you can filter on a specific content-type or host, drill into the exact frame the response was contained in, follow-stream, or even preview certain types of content.

Previewing Types

In-Browser object previews are enabled by default. The admin can disable extraction of all HTTP objects by changing this settings within CloudShark.

If an object is an image, audio, or video, CloudShark will attempt to preview it directly in the browser using a native content tag. Support for various types of audio and video will be browser dependent.

If the object in question can be displayed as text, the raw text will be previewed by CloudShark. If there is no preview available (as is the case for binary content-types) the file will simply be presented as a download link.

Please note that CloudShark does not scan any content for viruses, malware, or other hazardous types.