TCP Stream Detective Cyber Chronicles

CybersecurityCybersecurityBeginner
Practice Now

Introduction

In this lab, you will learn how to use the "Follow TCP Stream" feature in Wireshark to analyze and inspect TCP traffic. This feature allows you to extract and view the data payload of a specific TCP conversation, which can be helpful in various cybersecurity scenarios, such as investigating suspicious network traffic, analyzing application protocols, or troubleshooting network issues. By the end of this lab, you will have a better understanding of how to use this powerful tool to gain insights into network communications.


Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL cybersecurity(("`Cybersecurity`")) -.-> cybersecurity/WiresharkGroup(["`Wireshark`"]) cybersecurity/WiresharkGroup -.-> cybersecurity/ws_follow_tcp_stream("`Wireshark Follow TCP Stream`") subgraph Lab Skills cybersecurity/ws_follow_tcp_stream -.-> lab-415946{{"`TCP Stream Detective Cyber Chronicles`"}} end

Capture Network Traffic

In this step, you will capture network traffic that includes a TCP conversation to analyze.

  1. Open Wireshark on your Linux machine by running the following command in the terminal:
wireshark
  1. Once Wireshark is open, select the network interface you want to capture traffic from. You can choose the eth1 from the Interface list in the toolbar.

  2. Click the Start button (the blue shark fin icon) to start capturing packets.

  3. Generate some TCP traffic by visiting a website or running a network application that uses TCP. For example, you can open a terminal and use the curl command to fetch a web page:

curl https://labex.io
  1. After capturing enough traffic, stop the capture by clicking the Stop button (the red square icon) in Wireshark.

Follow a TCP Stream

In this step, you will learn how to use the Follow TCP Stream feature to inspect the data payload of a specific TCP conversation.

  1. In Wireshark, locate a TCP conversation in the packet list. You can filter the display to show only TCP packets by typing tcp in the filter toolbar.

  2. Right-click on a packet belonging to the TCP conversation you want to inspect, and select Follow > TCP Stream from the context menu.
    image

  3. A new window will open, displaying the raw data payload of the selected TCP stream. The data is shown in both directions (from client to server and from server to client).

  4. You can switch between different views by selecting options from the Show and save data as dropdown menu. Common options include:

    • ASCII: Displays the data as plain text (for human-readable text data)
    • HEX Dump: Displays the data in hexadecimal format (useful for binary data)
    • C Arrays: Displays the data as C-style character arrays
      image
  5. Explore the different views and try to understand the data being transmitted in the TCP stream.

  6. Click the Print button to print the data payload or the save button to prove your findings.
    image

Save the TCP Stream Data

In this step, you will learn how to save the data payload of a TCP stream to a file for further analysis or sharing.

  1. With the Follow TCP Stream window open, select the desired view (e.g., ASCII, HEX Dump, or C Arrays) from the Show and save data as dropdown menu.

  2. Click the Save As button, or go to File > Save Data As....
    image

  3. In the Save Capture File As dialog, navigate to the /home/labex/project/ directory.

  4. Enter a filename tcp_stream_data.txt and click Save.

  5. The data payload of the selected TCP stream will be saved to the specified file in the chosen format.

  6. You can now open and inspect the saved file using a text editor or other tools for further analysis.

Summary

In this lab, you learned how to use the "Follow TCP Stream" feature in Wireshark to analyze and inspect the data payload of a specific TCP conversation. You captured network traffic, followed a TCP stream, explored different data views, and saved the stream data to a file for further analysis. This skill is valuable in various cybersecurity scenarios, such as investigating suspicious network traffic, analyzing application protocols, or troubleshooting network issues. By mastering this technique, you have gained a powerful tool to gain insights into network communications and enhance your cybersecurity skills.

Other Cybersecurity Tutorials you may like