Wireshark: Working with Packet Streams

Instant Wireshark Starter


January 2013

$10.00

A quick and easy guide to getting started with network analysis using Wireshark

(For more resources related to this topic, see here.)

Working with Packet Streams

While working on network capture, there can be multiple instances of network activities going on. Consider a small example where you are simultaneously browsing multiple websites through your browser. Several TCP data packets will be flowing across your network for all these multiple websites. So it becomes a bit tedious to track the data packets belonging to a particular stream or session. This is where Follow TCP stream comes into action.

Now when you are visiting multiple websites, each site maintains its own stream of data packets. By using the Follow TCP stream option we can apply a filter that locates packets only specific to a particular stream.

To view the complete stream, select your preferred TCP packet (for example, a GET or POST request). Right-clicking on it will bring up the option Follow TCP Stream.

Once you click on Follow TCP Stream, you will notice that a new filter rule is applied to Wireshark and the main capture window reflects all those data packets that belong to that stream. This can be helpful in figuring out what different requests/responses have been generated through a particular session of network interaction. If you take a closer look at the filter rule applied once you follow a stream, you will see a rule similar to tcp.stream eq <Number>. Here Number reflects the stream number which has to be followed to get various data packets.

An additional operation that can be carried out here is to save the data packets belonging to a particular stream. Once you have followed a particular stream, go to File | Save As. Then select Displayed to save only the packets belonging to the viewed stream.

Similar to following the TCP stream, we also have the option to follow the UDP and SSL streams. The two options can be reached by selecting the particular protocol type (UDP or SSL) and right-clicking on it. The particular follow option will be highlighted according to the selected protocol.

The Wireshark menu icons also provide some quick navigation options to migrate through the captured packets. These icons include:

  • Go back in packet history (1): This option traces you back to the last analyzed/selected packet. Clicking on it multiple times keeps pushing you back to your selection history.

  • Go forward in packet history (2): This option pushes you forward in the series of packet analysis.

  • Go to last packet (5): This option jumps your selection to the last packet in your capture window.: This option is useful in directly going to a specific packet number.

  • Go to the first packet (4): This option takes you to the first packet in your current display of the capture window.

  • Go to last packet (5): This option jumps your selection to the last packet in your capture window.

Summary

In this article, we learned how to work with packet streams.

Resources for Article :


Further resources on this subject:


Books to Consider

comments powered by Disqus