In the last chapter, we looked at network headers and what they might indicate. Ordinarily, though, the network headers are not revealed to the end user; when a user visits a web page, they are presented with the results: the application payload or response body. To view the header (and other network fields), cybersecurity workers must inspect the packets as they appear on the wire. 

Packet capture software allows cybersecurity workers to do this. The most common applications are tcpdump (which works on the command line) and Wireshark (which includes analysis tools and a graphical user interface (GUI)).

PCAP files are the standard format for storing captured network data. Identifying the headers in each layer is a key skill for cybersecurity investigators.

The following sections are based on the captured TCP stream of an HTTP session. The imagery will all relate to Wireshark, as the 210-255 specification requires candidates to be familiar with the Wireshark menu structure.