HakTip 120 – Wireshark 101: TCP Streams and Objects

On this week’s episode of HakTip, Shannon Morse describes TCP Streams and how to decode packets in several formats.

Download HD  |   Download MP4

While running a packet capture in Wireshark, you may find that although the packets are all in one nice long list, some of them match up with others. An ex: would be if a user is visiting multiple sites, then you’ll have a whole series of packets dedicated to one site, and another series dedicated to another site. They’ll both end up in this long list depending one when they’re captured, but they correspond with different streams. If you want to follow a specific stream of packets, right click the packet and choose “Follow TCP Stream” or “Follow UDP Stream”. A new window will open and the filter will update in your main window. It’ll say “tcp.stream eq #”. tcp.stream is self explanatory. eq # will mean it’ll equal associated with the stream followed for your packets. Under the “Go” menu, you can move around or use keyboard shortcuts to get to specific packets in your new stream.

Withing that new TCP Stream menu, you’ll see a listing of information about the packet stream that you just followed. This’ll show you the entire conversation, or you can break it down into parts. You can change the view from Raw data, to C Arrays, a Hex dump, EBCDIC, or ASCII. (EBCDIC) Extended Binary Coded Decimal Interchange Code is an 8-bit character encoding used mainly on IBM mainframe and IBM midrange computer operating systems, just FYI… 🙂

Right click on any packet and go to Decode As. This will allow you do decode any packet in another format. If you have a packet on the transport layer, you can decode that as any user specified protocol. Same with network and link. Each of these borrows from the OSI Model layers, so you’ll notice some similarities there!

Another cool option I wanted to share is the HTTP object list. Go to File —> Export Objects —> HTTP and you’ll get a listing of all of your HTTP packets, which you can then save for later use. If I click on a .png that was downloaded… and click Save As… You’ll now see the actual image saved on your desktop! Neat!

Let me know what you think. Send me a comment below or email us at [email protected]. And be sure to check out our sister show, Hak5 for more great stuff just like this. I’ll be there, reminding you to trust your technolust.

1 Comment

  • Jonsthan Forsberg

    Hi Shannon!
    I love what you guys are doing and I wanted to share my terminal shurtcut of the week!
    This command clears the screen, instead of type clear all the time, this saves like a sec of work 🙂
    works in ubuntu, kali and mint linux as far as I know.
    Keep up the good work yal!! 🙂
    And I hope you get started in the warehouse realsoon.

  • GitaIErtel

    Excellent goods from you, man. I have be aware your stuff prior to and you’re just too fantastic.
    I really like what you have bought right here, really like what you’re saying and the best way by
    which you say it. You are making it entertaining and you continue
    to care for to keep it smart. I can not wait to
    read far more from you. This is actually a wonderful web site.

  • CarmonOWrench

    Unquestionably consider that that you stated.
    Your favorite justification seemed to be on the net
    the easiest factor to consider of. I say to you, I definitely get annoyed whilst people consider
    concerns that they just do not understand about.
    You managed to hit the nail upon the highest and defined out the whole thing with no need side-effects , other
    folks could take a signal. Will likely be back to get more.
    Thank you

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>