Introduction

In this short tutorial I recommend Wireshark as a web services debugging program and I give a quick tutorial on how to use Wireshark packet filters.

Why Wireshark?

Lately, Ive been doing a lot of projects on web services and worked with different sorts of web service clients. When setting up and testing a client, it happens too often that something goes wrong. This might be due to a simple developer mistake, which is usually easy to figure out, due to a bad parser, character encoding or even due to the makeup of the request or response itself.

For example, I had to authorize a client program with a website using OAuth some weeks ago. At first, I used oauth-signpost to do this. I couldnt get this to work. Then I used Oauth from google code. This worked. At first, I thought I must have had used the signpost api in a wrong way. But after inspection with Wireshark, the only difference in the request was that signpost included the parameters in the body of the request while the latter api included it as parameters. It was this which was causing the error.

It comes in handy if you can easily inspect what packets your machine sends and receives. Wireshark does exactly that, and you dont even need to setup a proxy. It is absolutely free too.

Note: Sometimes I use TCPMon too, which is more lightweight and doesnt need to be installed, but which requires setting up a proxy.
The only thing you need(besides a basic understanding of packets, installing Wireshark and firing it up) to use it efficiently is to setup filters.
Note: It is possible that if you are using Linux, you will have to build Wireshark yourself from its source. I only saw prepared windows and mac distributions at their website.

Wireshark filters

After starting Wireshark and selecting the adapter from which you want to capture packets, the program will show you all traffic sent and received by your pc.
You probably only want to see the packets of one packet type or the packets related to a communication with a particular server.
Right above the packets, there is the filter bar, in which you can type filters, such as:

tcp

to only show all tcp packets, or:

(ip.src==64.74.98.80) || (ip.dst==64.74.98.80)

to show all packets in which 64.74.98.80(www.linkedin.com) was the source or destination ip.
Notice how you can build up expressions using brackets and the && and || operators.

Example

Consider the filter

(ip.src==64.74.98.80) || (ip.dst==64.74.98.80)

which will show all packets sent to and received from www.linkedin.com.
If you execute the following java program:

public class ShowPackets{
	public static void main(String[] args){
		try {
			URL url = new URL("http://www.linkedin.com");
			URLConnection connection = url.openConnection();
			connection.connect();
			connection.getContent();
		} catch (MalformedURLException e) {
			e.printStackTrace();
		} catch (IOException e) {
			e.printStackTrace();
		}
	}
}

you will see the following list of packets in Wireshark:

Wireshark filter example

If you want to further filter on the most interesting packets, you can use the filter expression

((ip.src==64.74.98.80) || (ip.dst==64.74.98.80)) && http