0

I am working with HTTP Headers as shown below.

    GET /success.txt HTTP/1.1
    Host: detectportal.firefox.com
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0)
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Cache-Control: no-cache
    Pragma: no-cache
    Connection: keep-alive

    HTTP/1.1 200 OK
    Content-Type: text/plain
    Content-Length: 8
    Last-Modified: Mon, 15 May 2017 18:04:40 GMT
    ETag: "ae780585fb7d28906123"
    Accept-Ranges: bytes
    Server: AmazonS3
    X-Amz-Cf-Id: iMjet-5hLAEAf8HyvtHWnotG4mkD7VeN7A==
    Cache-Control: no-cache, no-store, must-revalidate
    Date: Mon, 24 Jul 2017 18:24:08 GMT
    Connection: keep-alive

as we can see from the above handshake,it was a successful 2-ways handshake. I am just wondering if this types of handshakes can tell us if a file was downloaded, uploaded, or accessed? if not how do we know which of this actions has taken place from the Header file? thanks!

Jaimesh
  • 841
  • 4
  • 25
  • 41
martial mathers
  • 3
  • 3
  • Nope. Why would you expect that information to be in the headers? What do you mean by _"downloaded, uploaded, or accessed"_ anyway? What problem are you trying to solve and why are you looking into HTTP response headers for a solution? It's also not a "handshake" (a term used to indicate the start of a connection of some sort), it is a request-response pair. All in all your question sounds really misguided and could use an explanation of what you're actually trying to do. – CodeCaster Jul 26 '17 at 12:35
  • lets say you requested a pdf page and download it from the web or just read and close it, in the meanwhile, you capture the traffic using wireshark or something else, so is there anyways to know that the pdf file was downloaded from the HTTP header? – martial mathers Jul 26 '17 at 12:39
  • It's still very unclear _why_ you're asking this, but I'm going to provide an answer that answers that question. I don't think you can do anything useful with it. Perhaps make this less of a hypothetical question and explain what you're actually trying to do. – CodeCaster Jul 26 '17 at 12:41

2 Answers2

0

is there anyways to know that the pdf file was downloaded from [captured network packets containing these] HTTP header[s]?

No. The headers describe a resource, and optionally that resource's content that will follow.

Nobody stops you from closing the connection after reading the headers, causing the content not to be downloaded.

So just seeing these headers fly by on the network is no proof someone actually viewed that response's content, even if there was any.

But in general, if a request has a payload, you can say "something" was uploaded, and if a response has a payload, you can say "something" was downloaded. What exactly was uploaded can be obtained by inspecting the request's content-type headers. Do note that the concept of a "file" becomes blurry when transmitting them over a network. A web server responding to a request may generate a PDF document in-memory, and serve that with a header that prompts a Save As... dialog in your browser. Can you then say a "file" was downloaded? What if a site serves a CSS file existing on the server's disk, which your browser renders, but doesn't store on disk (barring caching)? Was a "file" "downloaded" then?

See HTTP response headers valid with no Transfer-Encoding and Content-Length? how to determine a message's length.

CodeCaster
  • 147,647
  • 23
  • 218
  • 272
  • ok, thanks. I was just wondering if there is a way. I appreciate your time. – martial mathers Jul 26 '17 at 12:46
  • For the last time, "a way" to do WHAT exactly? Do you want to prove somebody downloaded something on your network? – CodeCaster Jul 26 '17 at 12:46
  • a way to know if something was uploaded or downloaded from the Http Header that I got using "follow tcp stream" in wireshark. – martial mathers Jul 26 '17 at 12:48
  • In general, if a request has a content-length header, something was uploaded, and if a response has a content-length header, something was downloaded alright. Unless the connection was closed before sending or receiving the payload. Or unless chunking or a connection: close without content-length was in play. – CodeCaster Jul 26 '17 at 12:50
  • well, that was the answer I was looking for. thanks again – martial mathers Jul 26 '17 at 12:52
  • In that case I have expanded my answer somewhat. I hope that explains why it was a bit unclear what exactly you're after. – CodeCaster Jul 26 '17 at 12:57
0

If you want to know whether a HTTP response is for a file other than a HTML document just by looking at the headers, then check the Content-Type header. It contains the MIME type of the content being sent e.g text/html for a HTML file, text/css for a CSS file, application/pdf or application/x-pdf for a PDF file, video/mp4 for an MP4 video, etc. The official list is at http://www.iana.org/assignments/media-types/media-types.xhtml

Leo Aso
  • 11,898
  • 3
  • 25
  • 46