Table of Contents for
Mastering Wireshark 2

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Mastering Wireshark 2 by Andrew Crouthamel Published by Packt Publishing, 2018
  1. Mastering Wireshark 2
  2. Title Page
  3. Copyright and Credits
  4. Mastering Wireshark 2
  5. Packt Upsell
  6. Why subscribe?
  7. PacktPub.com
  8. Contributor
  9. About the author
  10. Packt is searching for authors like you
  11. Table of Contents
  12. Preface
  13. Who this book is for
  14. What this book covers
  15. To get the most out of this book
  16. Download the color images
  17. Conventions used
  18. Get in touch
  19. Reviews
  20. Installing Wireshark 2
  21. Installation and setup
  22. Installing Wireshark on Windows
  23. Installing Wireshark on macOS
  24. Installing Wireshark on Linux
  25. Summary
  26. Getting Started with Wireshark
  27. What's new in Wireshark 2?
  28. Capturing traffic
  29. How to capture traffic
  30. Saving and exporting packets
  31. Annotating and printing packets
  32. Remote capture setup
  33. Prerequisites
  34. Remote capture usage
  35. Summary
  36. Filtering Traffic
  37. Berkeley Packet Filter (BPF) syntax
  38. Capturing filters
  39. Displaying filters
  40. Following streams
  41. Advanced filtering
  42. Summary
  43. Customizing Wireshark
  44. Preferences
  45. Appearance
  46. Layout
  47. Columns
  48. Fonts and colors
  49. Capture
  50. Filter buttons
  51. Name resolution
  52. Protocols
  53. Statistics
  54. Advanced
  55. Profiles
  56. Colorizing traffic
  57. Examples of colorizing traffic
  58. Example 1
  59. Example 2
  60. Summary
  61. Statistics
  62. TCP/IP overview
  63. Time values and summaries
  64. Trace file statistics
  65. Resolved addresses
  66. Protocol hierarchy
  67. Conversations
  68. Endpoints
  69. Packet lengths
  70. I/O graph
  71. Load distribution
  72. DNS statistics
  73. Flow graph
  74. Expert system usage
  75. Summary
  76. Introductory Analysis
  77. DNS analysis
  78. An example for DNS request failure
  79. ARP analysis
  80. An example for ARP request failure
  81. IPv4 and IPv6 analysis
  82. ICMP analysis
  83. Using traceroute
  84. Summary
  85. Network Protocol Analysis
  86. UDP analysis
  87. TCP analysis I
  88. TCP analysis II
  89. Graph I/O rates and TCP trends
  90. Throughput
  91. I/O graph
  92. Summary
  93. Application Protocol Analysis I
  94. DHCP analysis
  95. HTTP analysis I
  96. HTTP analysis II
  97. FTP analysis
  98. Summary
  99. Application Protocol Analysis II
  100. Email analysis
  101. POP and SMTP
  102. 802.11 analysis
  103. VoIP analysis
  104. VoIP playback
  105. Summary
  106. Command-Line Tools
  107. Running Wireshark from a command line
  108. Running tshark
  109. Running tcpdump
  110. Running dumpcap
  111. Summary
  112. A Troubleshooting Scenario
  113. Wireshark plugins
  114. Lua programming
  115. Determining where to capture
  116. Capturing scenario traffic
  117. Diagnosing scenario traffic
  118. Summary
  119. Other Books You May Enjoy
  120. Leave a review - let other readers know what you think

Following streams

In the previous section, we went over how to use display filters to limit what you see in a packet capture. In this section, we'll build on that and follow streams. What that means is, in this section, we'll follow TCP and UDP streams to pick out conversations within our packet capture so that we can view the specific communications between each TCP communication or each UDP communication. So, what we have is a packet capture of opening up the https://www.cisco.com/ home page. And the https://www.cisco.com/ home page is not encrypted with SSL by default, so we can see all of the HTTP communications within it without having to add in some sort of SSL key to decrypt it:

In the beginning, we can see the DNS query to Cisco and the response, and then the beginnings of the TCP handshake. Then, we start to retrieve some files and some HTTP traffic for retrieving HTML. Now, we could of course apply what we learned in the last section, and go up to the top and create a display filter for the web server as the host and the TCP protocol, with some other parameters to try and filter out what we want to see, but we'll still have a whole lot of data. You can see this is a very large capture, just to load up one web page.

So, how can we pick out individual communications within this packet capture? Because one thing you'll note is, in a web page, you have multiple files, graphics, CSS files, JavaScript, or whatever it might be that it needs to retrieve. There are a number of different files it has to pull in order to build the web page that you see. Each one of these is its own communication and its own TCP stream. So, what we need to do to follow a TCP or UDP stream is to select a packet within the capture that is within the stream that we wish to view. So, for each of these individual files in this web page, each one's going to be its own TCP stream. So we need to select a packet within that, and then follow the stream.

So, let's choose one of the graphics. Let's go up to our spinner.gif. As shown in the following screenshot, we'll right-click on our HTTP packet and go to FollowTCP Stream:

By default, the data shows up in an ASCII format, and that's usually very helpful to you because a lot of the traffic you're probably looking at is text-based. But you may wish to change that when you're doing this follow stream. You can do that at the bottom, where it says Show data as ASCII. You can change that drop-down box and select whatever data format you wish. We'll leave it as ASCII, since we're looking at some HTTP traffic with a GIF transmitted within it. And you can see here that we have red and blue lines. Red is the client and blue is the server, and you can see that at the bottom, where it says 16 client pkt(s), 228 server pkts(s):

We can also change this drop-down box and select the communication that we wish to look at. And as we scroll down in this data view, you will see the blue and red of the client and the server sending their packets back and forth. And, as you may have noted in one of the earlier sections, if you click on the data, it will jump to the packet in the packet view. An additional feature of following TCP is that you can Print or Save as... your packets. So you can actually export these and save them as whatever file format you deem.

You can also follow UDP streams.

UDP streams are more difficult to follow, though, so it may not always work perfectly, but Wireshark does the best that it can. The difference between TCP and UDP is that TCP is reliable and UDP is unreliable communication.

Now, you can do the same thing as with following TCP traffic, that is, right-click on a packet and go to Follow, and you can see that UDP Stream is available for us to click on.

Select UDP Stream and it'll do the exact same thing. It will show the data up in the top pane. It may be useful or not, depending on what kind of data it is. It will allow us to perform all the same features as following the TCP stream.

In this section, you learned how to follow TCP and UDP streams and to pick out specific conversations within your packet capture and data flows. Next up, we have advanced filtering, where we'll get into picking out more nuanced sections within a packet capture and within your packets to enhance your ability to filter your traffic.