Wireshark 101: TCP Streams and Objects, HakTip 120
ฝัง
- เผยแพร่เมื่อ 25 ก.ค. 2024
- Hak5 -- Cyber Security Education, Inspiration, News & Community since 2005:
____________________________________________
On this week's episode of HakTip, Shannon Morse describes TCP Streams and how to decode packets in several formats.
While running a packet capture in Wireshark, you may find that although the packets are all in one nice long list, some of them match up with others. An ex: would be if a user is visiting multiple sites, then you'll have a whole series of packets dedicated to one site, and another series dedicated to another site. They'll both end up in this long list depending one when they're captured, but they correspond with different streams. If you want to follow a specific stream of packets, right click the packet and choose "Follow TCP Stream" or "Follow UDP Stream". A new window will open and the filter will update in your main window. It'll say "tcp.stream eq #". tcp.stream is self explanatory. eq # will mean it'll equal associated with the stream followed for your packets. Under the "Go" menu, you can move around or use keyboard shortcuts to get to specific packets in your new stream.
Withing that new TCP Stream menu, you'll see a listing of information about the packet stream that you just followed. This'll show you the entire conversation, or you can break it down into parts. You can change the view from Raw data, to C Arrays, a Hex dump, EBCDIC, or ASCII. (EBCDIC) Extended Binary Coded Decimal Interchange Code is an 8-bit character encoding used mainly on IBM mainframe and IBM midrange computer operating systems, just FYI... :)
Right click on any packet and go to Decode As. This will allow you do decode any packet in another format. If you have a packet on the transport layer, you can decode that as any user specified protocol. Same with network and link. Each of these borrows from the OSI Model layers, so you'll notice some similarities there!
Another cool option I wanted to share is the HTTP object list. Go to File -- Export Objects -- HTTP and you'll get a listing of all of your HTTP packets, which you can then save for later use. If I click on a .png that was downloaded... and click Save As... You'll now see the actual image saved on your desktop! Neat!
Let me know what you think. Send me a comment below or email us at tips@hak5.org. And be sure to check out our sister show, Hak5 for more great stuff just like this. I'll be there, reminding you to trust your technolust.
~-~~-~~~-~~-~
Please watch: "Bash Bunny Primer - Hak5 2225"
• Bash Bunny Primer - Ha...
~-~~-~~~-~~-~
____________________________________________
Founded in 2005, Hak5's mission is to advance the InfoSec industry. We do this through our award winning educational podcasts, leading pentest gear, and inclusive community - where all hackers belong. - วิทยาศาสตร์และเทคโนโลยี
Have you checked out steelcentral software from riverbed? Pretty neat tool to display aspects of a packet capture with a graphical interface.
And who was now behind "refinery dot something?" 1:15
Ahh... My favorite tech tips show by my favorite hosts :-)
I learned about about da packets today.
Thank you so much for the video, This really helped me out in a final project I was working on.
Thanks for the video. Nicely explained
@7:44 your reactions is so amazing i love it Shannon :D :D :D
I just used this to get a bunch of points for a hacking competition. Thanks Shannon!
woohoo! Glad it helped :)
hey. first off thank you for the info. you cleared up a Lott for me. the only question i have is, what would be the best way to view packet info without having to save then open each. is there a preview feature, or maybe a viewer program?
good program, Ive been using this for years.
;) Also learned something new. Had no idea you could save images from wireshark. etc etc. Nice vid. thnx
CISCO classes brush over Wireshark so this series is an awesome supplement to the training! Also, keep the glasses Shannon. ;)
My glasses are a slightly different prescription than my contacts, so they totally throw me off! But sometimes, my eyes need the rest from contacts. :P
i want to analyze the youtube video through wireshark. i need a video link or any reference video from which i can get the information that how to read all the KPI's during the video playback. e.g. analyzing the poor quality result of youtube video and its reason, analyzing the data transfer during video, time to display the 1st picture. Plzzzz Help me
them high pitched tones its does my head in!
10/10.....the video was cool too
Hak5 should do a gamergate episode.
HOTTTTTT
i thought this was about decoding tcp stream ?
I've been working with Wireshark since 2014 and I never imagined there would be a hot girl teaching me about it
BOOBA (oh dang this vid from 2014 wow)
can you do a Wireshark HakTip explaining switched networks.. and how that does not work.
Ahh, switches. Switches and hubs make networks act weird. Yes! That would be a good subject to define. Thanks!
Shannon Morse Sweet!! I love this series by the way.. I actually took a Wireshark Course with one of the (many) developers teaching it. Your teaching methods and subjects you choose to cover really help connect the dots. My biggest confusion was switched networks and hubs.. even after knowing what they did I got a wee bit confused when using Wireshark. Thank you, Shannon!
+Shannon Morse Eh, just how do switches and hubs (they are not used anymore by the way) make networks weird? They are the very definition of networks - can you show me a network without a switch?
+Skjalg Landsem How are hubs not used anymore if I have one right in front of me.. Hubs just distribute all traffic to connected devices. Switches are port specific. If you have switches VLAN'd out things get weird. That's what I was talking about.
If you have a "true" hub in front of you - hang on to it! You can't buy them anymore and the highest throughput you can get from the old 3Com hubs is 10Mb I believe.
I'll get back to you on how switched networks work. Are you interested in switching in general or just VLAN propagation over a switched/routed network?
it was weird hearing OSI pronounced O S I. we just pronounce it ozi, ozi model.
Really? Weird! I was taught in school it was pronounced O S I. I guess everyone pronounces things differently. - Shannon
I would love to take more lessons in wireshark with her lol
@1:40 you selected packet 1382 and follow tcp stream.@2:13 you say tcp.stream eq 105 means packet 105 - but you selected packet 1382. What? 105 means the one-hundred-fifth occurrence of a tcp stream in this capture. Teaching the wrong thing is not better than teaching nothing at all. And this is not free since we have to sit through all the ads.
@2:03 tcp stream is a byte stream not a packet stream - that would be closer to a udp stream. How can you teach somebody to use a tool with the wrong fundamentals.
+pocodedo A TCP stream is the collection of all segments belonging to a unique "pair of IP addresses and port numbers". If you get the entire stream it always begins with empty data parts of the segments with only the SYN, SYN-ACK and finally ACK bit set (3-way handshake) in the TCP flags. TCP streams will eventually end in a FIN, FIN-ACK, ACK or a plain RST.Given a large enough trace file that unique combination of IP addresses and port numbers will be reused - Wireshark detects this and warns you.Btw: it is not wise to choose a TCP segment from early in the trace file to showcase TCP streams. The earlier in the trace file, the less chance of the stream having the 3-way handshake in it.