How would you spot a large HTTP response with a small header?

Study for the Wireshark Block 5 Exam. Prepare with flashcards and multiple choice questions, each offering hints and explanations. Ace your exam with the best resources!

Multiple Choice

How would you spot a large HTTP response with a small header?

Explanation:
The main idea is that the size of an HTTP response’s body is determined by the headers that accompany it, or by how the body is encoded. If the response has a small header, you can still determine or verify the actual payload size by checking the HTTP headers for size information and by reconstructing the body. Look at the Content-Length field in the HTTP response header to see the exact number of bytes in the body. If this header is present, it tells you precisely how large the payload is. If the response uses Transfer-Encoding, especially chunked encoding, there may not be a single Content-Length value. In that case, you need to reconstruct the full payload to know its size. Wireshark’s Follow HTTP Stream tool is designed for this: it rebuilds the entire HTTP message, allowing you to see exactly how many bytes make up the payload and confirming whether the response is large despite a small header. So, by checking Content-Length or Transfer-Encoding and then using Follow HTTP Stream to view the reconstructed payload, you can accurately spot a large HTTP response even when the header portion is small. The other approaches don’t directly reveal payload size: protocol hierarchy doesn’t indicate body length, DNS responses aren’t related to the HTTP message size, and filtering by host alone won’t show how much data is carried in the body.

The main idea is that the size of an HTTP response’s body is determined by the headers that accompany it, or by how the body is encoded. If the response has a small header, you can still determine or verify the actual payload size by checking the HTTP headers for size information and by reconstructing the body.

Look at the Content-Length field in the HTTP response header to see the exact number of bytes in the body. If this header is present, it tells you precisely how large the payload is. If the response uses Transfer-Encoding, especially chunked encoding, there may not be a single Content-Length value. In that case, you need to reconstruct the full payload to know its size. Wireshark’s Follow HTTP Stream tool is designed for this: it rebuilds the entire HTTP message, allowing you to see exactly how many bytes make up the payload and confirming whether the response is large despite a small header.

So, by checking Content-Length or Transfer-Encoding and then using Follow HTTP Stream to view the reconstructed payload, you can accurately spot a large HTTP response even when the header portion is small. The other approaches don’t directly reveal payload size: protocol hierarchy doesn’t indicate body length, DNS responses aren’t related to the HTTP message size, and filtering by host alone won’t show how much data is carried in the body.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy