Using Wireshark to Analyze Subversion (WebDAV) Traffic

Subversion can be accessed over HTTP by integrating it with Apache Web server. Apache web server facilitates the HTTP interface for Subversion. Along with standard HTTP-Methods like GET, POST, DELETE, PUT, OPTIONS, there are more HTTP-Methods used to access Subversion over HTTP. These HTTP-Methods like COPY, PROPFIND, PROPPATCH, LOCK, MOVE etc are part of WebDAV extension for HTTP.

By default, Wireshark supports dissection of HTTP protocol very well. However still there can be cases when HTTP is not dissected at all and the output may seem like this.

Wireshark

Wireshark

Dissecting HTTP traffic

In case you are running web server on some non-standard port, you need to associate that port with HTTP protocol in Wireshark. Otherwise HTTP traffic on that port will not be dissected. Following methods can be used to associate port with protocols.

#1: Using Protocol Preferences

Open “Edit -> Preferences -> Protocols -> HTTP”. Add port to TCP ports list. This change will be saved in Wireshark configuration.

Wireshark - HTTP Protocol Preference

Wireshark – HTTP Protocol Preference

#2: Using User Specified Decodes

“Decode As” is used to temporarily divert Wireshark to a specified dissector. First select any one packet which belongs to the traffic you want to be dissected. Open “Analyze->Decode As”. Select Port and Protocol under Transport tab as shown below.

Wireshark - Decode As

Wireshark – Decode As

If you want your User Specified Decode to be saved permanently in your profile Open “Analyze->User Specified Decodes” and select “Save”. Wireshark will save in your profile.

Filtering HTTP traffic

“Display Filters” for HTTP protocol will work after HTTP is dissected. Otherwise HTTP filters won’t return any results.

Filtering Specific Methods

http.request.method == "COPY"
Filter Specific Method

Filter Specific Method

Filtering Client behind Reverse Proxy

When clients access web servers via some reverse proxy or may be some SSL offloading engine, source IP address is always of reverse proxy. Because real HTTP request from clients are terminated at reverse proxy and new HTTP requests are generated from reverse proxy to web servers. However before sending a new request to web server, reverse proxies generally add real client’s IP address to “X_FORWARDED_FOR” HTTP-Header.

http.x_forwarded_for == "172.16.100.234"
X_Forwarded_For Filter

X_Forwarded_For Filter

Following Request/Response

For a given request packet, response can be seen using “Follow TCP Stream”.

Right click on the request packet and then select “Follow TCP Stream”.

Follow HTTP Request Response

Follow HTTP Request Response

Filtering Custom HTTP Headers

You can add custom http headers to HTTP protocol if some header does not display in filter expressions. For example “Destination” is not available by default. Add “Destination” to “Custom HTTP headers fields” in “Edit -> Preferences -> Protocols”

Wireshark - Custom Header Fields

Wireshark – Custom Header Fields

You may now filter “Destination” header using following expression.

http.header.Destination contains "http://"
Filter Custom HTTP Header

Filter Custom HTTP Header

Filtering contents of HTML body

Above filters will only look inside HTTP headers. To filter contents in HTML body use the following expression.

frame matches "(?i)Has been created"

Note: Make sure “Uncompress entity bodies” is enabled in “Edit -> Preferences -> Protocols -> HTTP”

This will look into whole frame and filter packets where the string is found. (?i) is for case-insensitive search. This will ALSO WORK if HTTP is not dissected.

FIlter Frame Data

FIlter Frame Data

Finding Packets

Finding an individual packet is simpler than writing filter expressions. It also works even if HTTP is not dissected. It is also very effective tool when finding strings. It gives you an easy and complete control over your search. Following example looks for a file name matching “test.ex” in packet bytes.

Wireshark - Find Packet

Wireshark – Find Packet

About Dinesh Sharma

Experienced system architect, programmer, and trainer. This blog is a way of giving back and helping the community. So feel free to ask a question or to leave a comment.

  • CoolRaoul

    Maybe you can help,

    I’ve tried applying your tutorial (method #1) to decode webdav capture on non standard port (5005)

    Unfortunately, wireshark insist to decode packets as “avt-profile-2”

    • Disable RTCP and RTP protocols from “Analyze->Enabled Protocols…”.
      You can also try method #2.

      • CoolRaoul

        neither tip worked, still having packets decoded like this

        I suddenly realize that there is not HTTP dialog in my capture: the port is closed before

        • Strangely when I tested with SVNServer on port 5005 I found that the HTTP part of packets is being dissected as HTTP. Rest of the packets like SYN, ACK are shown as avt-profile-2. Are you sure you are running SVNServe over Http or you are using svn:// ?

          • CoolRaoul

            I’m not using svn, but it is a WebDAV server.

            It seem that, in my case, the correct explanation is simply that the TCP session has been interrupted *before* any HTTP data has been exchanged.