How does HTTP response relate to request?

Question

I'm packet sniffing using jpcap, and I'm wondering how I can find out which request the response is for. The HTTP header fields don't even state the address of the server, and there are no ID's.

Do I need to check ports or something?

Answer 1

It sounds like you're looking at captured IP packets without understanding how TCP connections work. The answer is that the HTTP headers don't include the address of the server, because they don't need to. The HTTP data is set across a TCP connection, which manages the source and destination addresses for each packet.

A TCP connection is like a virtual "pipe" between the client and the server. Any data sent on a TCP connection either:

• arrives at the other end in the same order it was sent, or
• does not arrive at all

Even if the individual IP packets might be fragmented and arrive at the destination in a different order from what was sent, TCP will sort all that out and present the receiver with a consistent, guaranteed view of the same data the sender put into the pipe.

Answer 2

The response will immediately follow the request on the same connection. A client cannot have multiple requests pending on the same connection, it has to wait for a response before sending a new command, or else it has to send the request on a new connection.

Answer 3

http is an application/presentation layer protocol. Don't think if you check the http headers you'll find the address of the server. Need to look at the IP packets by stripping of the http headers.

Answer 4

If you're using Wireshark, just 'follow' the connection.