TCP 3-Way Handshake, HTTP Protocol, and Packet Capture with Wireshark

5 min readJan 3, 2024

Hello everyone!

Information Technology (IT) and Networking are essential elements in cybersecurity. IT is effective in critical areas such as software development, data management, and system security. Network Communication enables data transfer by providing the connection between devices. While the TCP/IP protocol family forms the basis of the Internet on this infrastructure, communication protocols such as HTTP are also built on this structure. In cybersecurity, the role of these protocols in ensuring security and protecting network traffic is critical. Tools, such as analytics tools like Wireshark, help observe network traffic and detect possible security breaches.

In this article, I will tell you about these subheadings and give you a small application example.

Importance and Working Principle of TCP 3-Way Handshake:

The TCP 3-way handshake protocol is a series of processes used to initiate reliable communication between computers before establishing a connection.

This process consists of these steps:

Step 1 (SYN): First, the client computer sends a SYN (synchronize) packet to the target server. This packet represents a request to communicate, and a connection request is transmitted to the server to which the client wants to connect.

Step 2 (SYN-ACK): The server responds with a SYN-ACK (synchronize-acknowledge) packet to confirm that it received the client’s request. This packet indicates that it has received the request and is ready for communication.

Step 3 (ACK): Finally, the client computer sends an ACK (acknowledge) packet to verify the server’s response and initiate communication. This packet confirms that the server has received its response and communication officially begins.

A visualization of these steps is as follows:

Once the 3-way handshake is completed, a secure and mutual communication channel is opened. This process verifies that both parties are ready for communication and provides a reliable connection for exchanging data. When communication ends, the connection is closed with a similar step. This process supports the TCP protocol’s ability to provide reliable and regular data communication.

HTTP Protocol and Working Principle:

HTTP (Hypertext Transfer Protocol) is a communication protocol used to transfer documents between web browsers and servers. This text-based protocol basically follows the client-server model:

Client: Usually a web browser. Sends an HTTP request to the server to access a specific resource (web page, image, etc.).
Server: Receives the client’s request and returns an appropriate response to the request.

The HTTP request is usually specified with a URL and comes with the request method (GET, POST, PUT, DELETE, etc.). Once the server receives the request, it takes appropriate actions and responds with an HTTP response. This response contains the requested resource or processing result to the client.

It is based on the TCP/IP protocol family that enables data communication on the Internet and communicates over this infrastructure. As in every field of technology, there are improved and updated versions of HTTP.

Most Frequently Used HTTP Headers:

HTTP Request Header:

1.Host: Specifies the server name.
2.User-Agent: Contains information on the client program (browser information).
3.Accept: Specifies the media types the client can accept.
4.Content-Type: Specifies the type of data being sent (for example, JSON, XML).
5.Authorization: Contains the authentication information requested from the client by the server (for example, username and password).

HTTP Response Header:

1.Status: Indicates the status of the request (for example, 404 Not Found).
2.Content-Type: Specifies the type of data sent by the server.
3.Cache-Control: Controls caching settings.
4.Location: Specifies the new location in redirect situations.
5.Server: Contains software or server information running on the server side.

Capturing HTTP Traffic and Viewing Its Content with Wireshark:

Wireshark is a popular network protocol analysis tool used to capture, inspect, and analyze network traffic. This software listens and records data packets coming from different network interfaces and displays the contents of these packets in detail. Supporting various network protocols, Wireshark can capture packets of a wide range of protocols such as TCP/IP, HTTP, DNS, and DHCP. Each of these packets represents the data carried between the devices involved in the communication and the operations of the communication.

Wireshark can be used for a variety of purposes, such as diagnosing network problems, detecting security threats, analyzing network performance, or finding errors in communications. Wireshark is the tool preferred by network administrators, security experts, network engineers, and many technology professionals because it provides an in-depth understanding of network communications and data traffic and contributes greatly to troubleshooting processes.

Now let’s make a simple application example where we capture HTTP packets with Wireshark: