Instant Wireshark Starter [Instant] — Save 50%
A quick and easy guide to getting started with network analysis using Wireshark book and ebook.
As you start to use Wireshark, you will realize that there are a wide variety of things that you can do with it. This article by Abhinav Singh, author of Instant Wireshark Starter [Instant], will teach you all about working with packet streams, the most commonly performed tasks and most commonly used feature in Wireshark.
(For more resources related to this topic, see here.)
Working with Packet Streams
While working on network capture, there can be multiple instances of network activities going on. Consider a small example where you are simultaneously browsing multiple websites through your browser. Several TCP data packets will be flowing across your network for all these multiple websites. So it becomes a bit tedious to track the data packets belonging to a particular stream or session. This is where Follow TCP stream comes into action.
Now when you are visiting multiple websites, each site maintains its own stream of data packets. By using the Follow TCP stream option we can apply a filter that locates packets only specific to a particular stream.
To view the complete stream, select your preferred TCP packet (for example, a GET or POST request). Right-clicking on it will bring up the option Follow TCP Stream.
Once you click on Follow TCP Stream, you will notice that a new filter rule is applied to Wireshark and the main capture window reflects all those data packets that belong to that stream. This can be helpful in figuring out what different requests/responses have been generated through a particular session of network interaction. If you take a closer look at the filter rule applied once you follow a stream, you will see a rule similar to tcp.stream eq <Number>. Here Number reflects the stream number which has to be followed to get various data packets.
An additional operation that can be carried out here is to save the data packets belonging to a particular stream. Once you have followed a particular stream, go to File | Save As. Then select Displayed to save only the packets belonging to the viewed stream.
Similar to following the TCP stream, we also have the option to follow the UDP and SSL streams. The two options can be reached by selecting the particular protocol type (UDP or SSL) and right-clicking on it. The particular follow option will be highlighted according to the selected protocol.
The Wireshark menu icons also provide some quick navigation options to migrate through the captured packets. These icons include:
Go back in packet history (1): This option traces you back to the last analyzed/selected packet. Clicking on it multiple times keeps pushing you back to your selection history.
Go forward in packet history (2): This option pushes you forward in the series of packet analysis.
Go to last packet (5): This option jumps your selection to the last packet in your capture window.: This option is useful in directly going to a specific packet number.
Go to the first packet (4): This option takes you to the first packet in your current display of the capture window.
Go to last packet (5): This option jumps your selection to the last packet in your capture window.
In this article, we learned how to work with packet streams.
Resources for Article :
- BackTrack 5: Advanced WLAN Attacks [Article]
- BackTrack 5: Attacking the Client [Article]
- Debugging REST Web Services [Article]
About the Author :
Abhinav Singh is a young Information Security specialist from India. He has a keen interest in the field of hacking and network security and has adopted it as his full-time profession. He is also the author of Metasploit Penetration Testing Cookbook, Packt Publishing. He is an active contributor to the SecurityXploded community.
Abhinav's works have been quoted in several security and technology magazines and portals.