Wireshark offers different protocols for viewing, capturing and analyzing captured packets. The process for following these protocols can be broken down into three key steps:
- Select the protocol you wish to follow from within “Protocols” under “Follow TCP Stream” or “Protocols” under “Follow UDP Stream”.
- Open a capture file and click on the flow that corresponds to this protocol.
- You can pick an interface by clicking on it in the figure above, then picking an action such as “Next Packet”. This will cause Wireshark to change its display based on traffic that is currently flowing through your selected interface.
- Each of the protocols listed above is known as an application-level protocol.
- The most common use for these protocols is that they can be used to view and analyze data flowing through a network, for example, HTTP traffic. Other application-level protocols include DNS queries or POP3 mail transfer requests. This article will generally refer to “application level protocol” as “applprot”.
TCP Stream Dialog Box:
The “Follow TCP Stream” dialog box, commonly abbreviated to “stream,” allows the user to view and interact with captured data in the form of a protocol stream. The stream contains data that was either sent or received by an application, depending on which way the packet was traveling through the network.
The following steps can be taken to open up a stream:
- Open a capture file from within Wireshark.
- Click on “Follow TCP Stream” under “TCP”, “UDP”, or IP.” The number of streams will depend on how many TCP connections were running during the capture process.
- Clicking on one of the streams will present you with a detailed view of only that stream.
HTTP/2 Stream Dialog Box:
Viewing HTTP traffic can be done in a number of ways depending on your needs and the application in question. If you simply wish to see what HTTP traffic is being generated by a particular web server, then there are a few different methods that you could use.
- Use application-level protocols such as DNS queries or POP3 mail transfer requests to identify your interest in which specific web server is sending traffic.
- Use the “ping” command to pinpoint the IP address of the web host to which it will be pinging.
- Using this IP address, conduct a port scan of the host. This will determine whether that web server is being actively used by someone or if it is connected to at all.
- Use the “Follow TCP Stream” option under “TCP” to view the stream that corresponds to the target web server. Because it is a TCP connection, and you are only following traffic from one side, you should only see traffic sent from this web server rather than any other host on the network.
While viewing the stream, remember that application-level protocols will usually be found within UDP / IP communications such as this stream. If you are looking for DNS traffic, use application-level protocols.
SIP Call Dialog Box:
SIP, or Session Initiation Protocol, is one of the most common protocols being used in popular VoIP applications such as Skype. These applications can be used to create and receive calls between two individuals in a real-time manner. The following steps will show how you could use Wireshark to follow SIP traffic:
- Open a capture file on your system.
- Select the “Follow SIP Call” option under “SIP”, “UDP”, or IP.” The number of streams will depend on how many SIP connections were running during the capture process.
- You are now traveling along with any and all SIP packets being sent and received through the network in question.
DNS Query Dialog Box :
If you are trying to track an individual on the internet, then you will likely be looking at the IP address of their computer. This number can sometimes be quite difficult to locate as it is often buried within the packet data being generated by other protocols such as DNS queries or HTTP traffic. To track this information down, you will first want to identify what application level protocol it is being sent through. Xyz.com could be using either DNS or HTTP traffic, depending on what their website is doing in order to work properly.