Follow TCP Streams in Tshark

Introduction

In this lab, you will learn how to analyze TCP streams using Wireshark's command-line tool tshark. You'll practice essential commands to read packet captures, identify TCP conversations, and extract specific stream data for detailed inspection.

The exercises will guide you through verifying capture files, examining protocol details, and saving stream content. By completing this lab, you'll gain practical skills in network traffic analysis using tshark's powerful filtering and statistics features.

Read TCP Capture with -r tcp.pcap

In this step, you will learn how to read a TCP packet capture file using Wireshark's command-line tool tshark. This is the first step in analyzing network traffic from a saved capture file. Understanding how to read packet captures is fundamental to network troubleshooting and analysis.

The -r option in tshark allows you to read packets from a previously saved capture file. Think of it like opening a document - the -r flag tells tshark which "document" (capture file) to open. We'll use a sample file named tcp.pcap located in your ~/project directory.

1. First, let's verify the capture file exists in the expected location. This is good practice before trying to analyze any file:

ls ~/project/tcp.pcap

2. Now, we'll use tshark to read the capture file. The basic command without any filters will show you an overview of all network traffic in the file:

tshark -r ~/project/tcp.pcap

This displays a summary view with important columns:

• Packet number (showing the order of captured packets)
• Timestamp (when each packet was captured)
• Source and destination IP addresses
• Protocol used (TCP, UDP, etc.)
• Brief information about the packet content

3. To dive deeper into the packet contents, we can add the -V flag (verbose mode). This shows the complete protocol breakdown of each packet, layer by layer:

tshark -r ~/project/tcp.pcap -V

The verbose output reveals details about:

• Ethernet layer (MAC addresses)
• IP layer (source/destination IP, TTL, etc.)
• TCP layer (ports, sequence numbers, flags)
• Application layer data (if present)

This detailed view helps you understand exactly what's happening at each network layer during communication.

Identify Stream Index with -z conv,tcp

In this step, you will learn how to identify TCP conversation streams in a packet capture using Wireshark's tshark with the -z conv,tcp option. This helps analyze communication patterns between hosts.

Before we begin, it's important to understand that TCP streams represent complete conversations between two endpoints. Each stream has a unique index number that helps us isolate and analyze specific communications in a network capture that may contain many simultaneous connections.

The -z conv,tcp option displays a table of all TCP conversations in the capture, showing stream indexes, source/destination addresses, ports, and packet counts. This gives us a high-level overview of all TCP activity in our capture file.

1. First, let's list all TCP conversations in our capture file:

tshark -r ~/project/tcp.pcap -z conv,tcp

When you run this command, tshark will process the packet capture file and generate a summary of all TCP conversations. The command reads (-r) the specified pcap file and applies the conversation statistics option (-z conv,tcp).

2. The output will show a table with columns:

   • Stream index (unique identifier for each TCP stream)
   • Source address:port (showing which device initiated the connection)
   • Destination address:port (showing the receiving device)
   • Packets in each direction (helping identify traffic flow)
   • Total packets (giving the conversation size)

3. To filter and see only the conversation statistics (without packet details), add -q (quiet mode):

tshark -r ~/project/tcp.pcap -z conv,tcp -q

The -q option tells tshark to only output the statistics we requested, making the output cleaner and easier to read when we're only interested in the conversation summary.

4. Make note of the stream indexes (first column) as you'll need them for the next step where we'll follow specific streams. These indexes are crucial because they allow us to focus on individual conversations within what might be a very busy network capture.

Follow Stream with -z follow,tcp,stream,0

In this step, you will learn how to follow and analyze a specific TCP stream from the packet capture using Wireshark's tshark with the -z follow,tcp option. This allows you to reconstruct the actual data flow of a conversation between two endpoints, making it easier to understand the application-level communication.

The -z follow,tcp,stream,0 option lets you examine stream 0 (replace 0 with your desired stream index from previous step) as a continuous data flow rather than individual packets. This is particularly useful when analyzing protocols like HTTP where a single web page load might involve multiple packets.

1. First, let's follow stream 0 (the first TCP conversation) from our capture. This command reads the pcap file and reconstructs the entire conversation:

tshark -r ~/project/tcp.pcap -z follow,tcp,stream,0

2. The output will show three important pieces of information:

   • The complete data exchange between client and server, reconstructed in order
   • ASCII representation of the application layer data (what the applications actually sent)
   • Direction indicators (">" for client-to-server, "<" for server-to-client) which help track who initiated each part of the conversation

3. To follow a different stream, replace "0" with your desired stream index (from step 2's output). For example, to see the second conversation in the capture:

tshark -r ~/project/tcp.pcap -z follow,tcp,stream,1

4. For cleaner output showing only the data (without packet headers), add -q (quiet mode). This is helpful when you only care about the application data:

tshark -r ~/project/tcp.pcap -z follow,tcp,stream,0 -q

Save Stream Text with Redirection

In this step, you will learn how to save the contents of a TCP stream to a file using output redirection. This technique is particularly useful when you need to analyze network communication patterns or share captured data with colleagues. The process involves extracting specific TCP stream data from a packet capture file and storing it in a text file for later examination.

1. First, let's save stream 0 to a file named stream0.txt. This command reads the packet capture file (tcp.pcap) and extracts only the content from TCP stream index 0, then redirects the output to a new text file:

tshark -r ~/project/tcp.pcap -z follow,tcp,stream,0 -q > ~/project/stream0.txt

2. After executing the command, verify the file was successfully created. The ls -l command shows detailed information about the file including its size and creation time:

ls -l ~/project/stream0.txt

3. To view the actual content you've saved, use the cat command. This will display the complete conversation from the TCP stream, including both client and server messages:

cat ~/project/stream0.txt

4. The same technique works for any TCP stream in your capture file. Here's how to save stream 1 by simply changing the stream index in the command. Notice we're creating a new file (stream1.txt) to avoid overwriting the previous one:

tshark -r ~/project/tcp.pcap -z follow,tcp,stream,1 -q > ~/project/stream1.txt

5. When examining longer streams, adding line numbers can make analysis easier. The -n flag with cat displays each line with its corresponding number, helping you reference specific parts of the conversation:

cat -n ~/project/stream0.txt

Summary

In this lab, you have learned to analyze TCP network traffic using Wireshark's command-line tool tshark. The exercises covered reading packet captures with -r, displaying detailed protocol information via -V, and identifying TCP conversations using -z conv,tcp for stream analysis.

You practiced following specific TCP streams by their indexes and saving stream content through output redirection. These techniques provide a practical workflow for inspecting network traffic from initial capture to focused data examination using tshark.