Following TCP Streams

# CHAPTER 12

Following TCP Streams #

1. Introduction #

When you download an image from a website, the image does not travel across the internet as a single file. As we learned in Chapter 3, the file is chopped into thousands of 1500-byte packets. In the Wireshark Packet List, these thousands of packets are scattered chronologically among all the other noisy traffic on your network. Reading the data packet-by-packet is practically impossible for a human. Fortunately, Wireshark possesses a magical feature called "Follow TCP Stream." In this chapter, we will learn how Wireshark utilizes sequence numbers to instantly reassemble chopped packets, completely reconstructing full conversations, HTML code, and downloaded files exactly as the end-user saw them.

2. Learning Objectives #

By the end of this chapter, you will be able to:

• Understand the mechanical concept of TCP stream reconstruction.

• Utilize the "Follow TCP Stream" feature to read unencrypted HTTP payloads.

• Differentiate between Client-to-Server traffic (Red) and Server-to-Client traffic (Blue) in the stream window.

• Apply stream index filtering (e.g., tcp.stream eq 0).

• Extract and save raw files (like images or text) directly from a packet capture.

3. Beginner-friendly Explanations #

The Shredded Document: Imagine a spy steals a top-secret document, shreds it into 1,000 tiny strips of paper, numbers each strip sequentially, and mails them all in separate envelopes to headquarters.

• The Packet List pane: This is a chaotic pile of 1,000 envelopes mixed with other people's mail.

• Follow TCP Stream: This is the master analyst at headquarters. The analyst finds the first envelope, looks at the sequence number, grabs the other 999 envelopes out of the pile, tapes all the shredded strips perfectly back together in order, and hands you the fully readable document on a silver platter.

4. How to Follow a Stream #

1. 1. Identify an interesting packet in the list (e.g., an HTTP GET request or an FTP connection).

1. 2. Right-click that specific packet.

1. 3. Select Follow -> TCP Stream.

1. 4. A large text window will instantly pop up.

The Stream Window Layout: Wireshark strips away all the MAC addresses, IP headers, and TCP flags. It *only* shows you the Layer 7 Application Data payload.

• Text colored Red is data sent by the Client (e.g., your browser asking for a file).

• Text colored Blue is data sent by the Server (e.g., the web server delivering the HTML code).

If you follow an HTTP stream, you will literally read the conversational flow: The red text asks for /index.html, and the blue text replies with <html><body>Welcome!</body></html>.

5. Stream Filtering and Session Tracking #

When you click "Follow TCP Stream," look at the main Wireshark window behind the pop-up. Wireshark automatically applies a new display filter to the top bar: tcp.stream eq 0 (or eq 1, eq 2, etc.)

Every time Wireshark sees a new 3-Way Handshake, it assigns it a "Stream Index" number. By applying this filter, Wireshark hides every packet on the network *except* the specific packets involved in this exact conversation. This is the ultimate way to isolate a single user's session from the background noise.

6. Exporting Objects from Streams #

If the user downloaded an image over HTTP, you can actually extract the picture from the PCAP file!

1. 1. Filter the traffic for HTTP.

1. 2. Go to the top menu: File -> Export Objects -> HTTP.

1. 3. A window will appear listing every file (images, javascript, HTML) transferred in the capture.

1. 4. Click on an image file and click "Save". You can now open that image on your desktop. *You have successfully reconstructed a file from raw network static!*

7. Advanced: UDP Streams #

You can also follow UDP streams (Right-click -> Follow -> UDP Stream). However, as discussed in Chapter 8, UDP is often used for encrypted or complex media (like DNS or VoIP). Following a UDP stream will usually result in a window filled with unreadable binary dots and symbols, rather than clean text.

8. Best Practices #

• Switch to ASCII / RAW mode: In the Follow Stream window, there is a dropdown at the bottom. By default, it displays in ASCII (text). If you are analyzing a malware payload that downloaded a binary .exe file, the ASCII view will crash or look like garbage. Switch the dropdown to Raw or Hex Dump to properly analyze binary data transfers.

9. Common Mistakes #

• Trying to Follow Encrypted HTTPS: The most common beginner frustration. A user clicks "Follow TCP Stream" on a packet destined for Port 443 (HTTPS). The window opens, but instead of seeing the webpage, they see a chaotic wall of encrypted garbage. The "Follow Stream" feature reassembles the payload perfectly—but if the payload is encrypted, it perfectly reassembles an encrypted rock. It cannot decrypt without keys.

10. Mini Project: Analyze an HTTP Conversation #

*(Use the http.cap sample file from the Wireshark Wiki).*

1. 1. Open the PCAP file.

1. 2. Find the very first HTTP GET request.

1. 3. Right-click it and select Follow -> TCP Stream.

1. 4. Read the Red text. Note the exact User-Agent (browser) the person was using.

1. 5. Read the Blue text. Note the Server: software the website was running, and read the raw HTML code of the website that was delivered. You are reading the matrix!

11. Practice Exercises #

1. 1. Explain the mechanical process Wireshark uses (utilizing TCP sequence numbers) to reconstruct a file from hundreds of individual packets.

1. 2. What do the Red and Blue text colors signify in the Wireshark Follow TCP Stream window?

12. MCQs with Answers #

13. Interview Questions #

• Q: Describe the forensic value of the "Follow TCP Stream" feature. How does it assist an analyst in investigating unencrypted malware communication?

• Q: A junior analyst uses "Follow TCP Stream" on traffic targeting Port 443, but complains the output is unreadable gibberish. Explain why this occurs and what is required to fix it.

• Q: Explain the workflow for using Wireshark to extract and save a complete .jpeg image file that was transmitted over an unencrypted HTTP connection.

14. FAQs #

Q: Can I follow a stream if I missed the 3-Way Handshake? A: Yes, but with warnings. If you start your packet capture *after* the connection was established, Wireshark will still try to reassemble the data using the sequence numbers it sees. However, you will miss the initial HTTP headers, and the reconstructed stream might be missing the beginning of the file.

15. Summary #

In Chapter 12, we utilized Wireshark's most powerful analytical feature. We learned that while the Packet List shows the shattered fragments of a network transaction, "Follow TCP Stream" meticulously tapes those fragments back together using sequence numbers. We visualized the back-and-forth flow of Layer 7 application data via Red (Client) and Blue (Server) text, bypassing the clutter of IP headers. We recognized that while this tool is devastatingly effective for plaintext HTTP or FTP, it remains blind to the encrypted payloads of modern HTTPS.

16. Next Chapter Recommendation #

You know how to read healthy traffic. But what does it look like when the network breaks? Proceed to Chapter 13: Network Troubleshooting with Wireshark.