You might want to take a look at the wireshark tool. It shows all of the packets within a transaction. Unfortunately, if you have other activity going on the computer it will pick those up as well so you will need to learn how to filter the results. I just ran a quick session to pull up the Google home page and there were about 250 packets. Most of those I'm not interested in so since you know that port 80 is the port of interest you can search for that using a filter:
However a possible better approach would be to start at the beginning and find the DNS packets. For that I used a filter:
Code:
dns.qry.name contains "www.google.com"
The results from the DNS query tell me that it will establish a link with the server with IP address of 74.125.71.147 With that little piece of knowledge I can set up a filter to look at just the packets sent to that address.
Code:
ip.addr == 74.125.71.147
From these packets displayed I can see what happens before my browser gets anything to display from the web server.
The first three packets are important and for what is known as the three way handshake. My browser sends an synchronise packet [SYN] which tells the web server to respond to me using this IP address and this port - in this case port 50021. The second packet comes from the server and Acknowledges the first packet and asks for acknowledgement in return [SYN, ACK]. The third packet acknowledges [ACK]the servers packet and a connection has been established.
Code:
60 36.616847 192.168.0.101 74.125.71.147 TCP 50021 > http [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=349901752 TSER=0 WS=6
61 36.733250 74.125.71.147 192.168.0.101 TCP http > 50021 [SYN, ACK] Seq=0 Ack=1 Win=5672 Len=0 MSS=1430 TSV=2935979091 TSER=349901752 WS=6
62 36.733359 192.168.0.101 74.125.71.147 TCP 50021 > http [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=349901868 TSER=2935979091
What follows this is the request from the browser and the response from the server.