Wireshark 101: TCP Streams and Objects; HakTip 120 Video Lecture | Start Using Wireshark: Do Hacking like a Pro - Back-End Programming

this hash tip is brought to you by Full
Sail University
welcome to hack tip the show where we
bring down concepts tools and techniques
for hackers gurus and IT ninjas
I'm Shannon Morrison we're checking out
more Wireshark this week with TCP
streams and objects while running a
packet capture and Wireshark you may
find that the packets are all in one
nice long list it's so very pretty with
all sorts of nice colors and some of
them match up with others an example
would be if a user is visiting multiple
different websites then you'll have a
whole series of packets dedicated to one
site and a whole other series dedicated
to another site they'll both end up in
this really really long list and it's
hard to make make sense of where each
packet is going and which ones depend on
which websites so this is where other
things come in handy if you look down at
my computer they'll both end up in this
long list depending on when they're
captured but they correspond with
different streams so it's really hard to
tell which websites correspond with
which packets now if you want to follow
a specific stream of packets you can
right click on the packet and choose to
see this thing called follow TCP stream
so if I choose one of these so I'll
choose this weird one refinery29 com I
don't even know what that is so I'll
right-click on that and go to follow UDP
stream and it'll show me a nice little
listening so that's a UDP packet now I'm
going to go back and let's find a TCP
one there's plenty of TCP s I'm going to
go up to the top so we can get the full
listing let's see this one looks like a
good one follow TCP stream and I get
this new window oh it's so very pretty
so this new window is going to open up
and the filter will update in your main
window so if you look up at filter right
here it's going to say TCP stream a cue
1:05 so it basically means that TCP
stream is well that's self-explanatory
it's up to you a stream of TCP packets
eq and then a number will mean that it
will equal
associated with the stream followed for
your packets so it's going to equal
pack it 105 for example and it's going
to show me the stream from that specific
packet pretty cool okay so now under the
go menu you can also move around or use
keyboard shortcuts to get to a specific
packet in this new stream so if I go up
to go I'll notice that I have the
options to go back forward go to packet
go to corresponding packet and then a
bunch down here so I can also use
keyboard shortcuts for these control FN
home to get to the top and to get to the
bottom where I can just use the up and
down arrows to choose specific packets
so a little bit more useful than
clicking around with your mouse all day
because we know we hate mice don't we
now within the new TCP stream menu I'll
go back over to this you'll see a
listing of information which doesn't
make a lot of sense it just looks like a
bunch of garbled information going on
now this is going to be information
about the packet stream that you just
followed so this is going to show you
the entire conversation from the very
start wherever you sent your information
out out and then whatever you received
so you can also break it down into
separate parts as well you'll notice
that up at the top everything is
highlighted in red so this is the first
send out message and then after that we
have another packet of information and
then scroll down and you'll see other
packets included in there as well now
we'll go back up to the top it doesn't
make a lot of sense though that's the
problem so you can view this information
a whole bunch of different ways for
example I can see it in the raw data so
this is just the raw data that I'm
seeing now I can change this also to see
arrays so you can see all the separate
see arrays hex dump I'm sure you guys
are familiar with hexes ebcdic I'll get
back to that one in a second and ASCII
of course we all know what ASCII is so
the second to last one this ebcdic it
sounds kind of weird but it stands for
extended binary coded decimal
interchange code
it's an 8-bit character encoding used
mainly on IBM mainframe and IBM
mid-range computer operating systems
just a little fYI about what the heck
that is now I'm going to get back into
this in just a second but first let's
take a quick break to thank our sponsor
as you know virtually every industry
relies on software technology full sail
university located in Winter Park
Florida offers bachelor degree programs
that address the need for skilled tech
professionals through curriculum that
blends code and theory with real-world
experience offered on campus the
software development bachelor's degree
program teaches programming fundamentals
through project-based coursework
allowing students to graduate with
multiple completed software products the
mobile development bachelor's degree
offered on campus and online teaches
students how to develop apps and
utilities through courses that cover
both iOS and Android development and the
web design and development bachelor's
degree program also available on campus
and online teaches front-end design
back-end development along with coding
formats programming languages and so
much more all students have hands-on
access to technology from day one they
receive a laptop computer in an
institutional discount along with
relevant software and tools to learn
more about full sales web and Technology
programs visit Full Sail edu slash
active we are back and now it's time for
something called D codes if you want to
right click on any of your different
packets down here you'll see a little
message down at the bottom that says D
code as when you click on that you get a
nice little new window so this is going
to allow you to decode any packet into
another format so if you have a packet
on the transport layer you can decode
that as any user-specified protocol same
with network and link so if I look down
here you'll first see transport layer if
I go down under here I can choose the
UDP port so I can either choose the one
that goes out the source the destination
or both and then I can choose how I want
to decode that information and I have
lots and lots in fact probably over a
hundred different options down here
quick pulse PT P and so on and so forth
same with network and link so under
network I'm going to have a bunch of
options for the protocol the IP protocol
17 and under link so it's going to say
ether type so the link is going to also
give me a bunch of different options to
decode now you're going to notice that
all of these different layers the
transport network and link
are all familiar with the OSI model
layers so you'll notice a few little
similarities there another really cool
option I wanted to share is the HTTP
object list I'm going to close the
decode options and go over to file
export objects go to http there we go
okay so this is going to give me a
listing of all the different HTT p--
Achatz that i got during my packet
capture and then I can save them for
later use so if I wanted to click on one
of these let's see we'll do su-7 dot PNG
I'm assuming this comes from the MarySue
a website that I frequent quite often so
I can click on that
hit save is save as go down to my
desktop where I like to save everything
and hit save now if I go to my desktop
there it is there is the little PNG
image straight from the packet itself
it's kind of cool you can actually see
relevant information from your packets
that you can specifically download
straight from Wireshark I like being
able to do things like that so cool now
you'll see the actual image saved
wherever you want to put it now let me
know what you think of course you can
send me a comment below or you can email
us over at tips at hak5 org I'll be back
next week with some more Wireshark
tutorials but first check out our sister
show hack 5 for more great stuff just
like this I'll be there reminding you to
trust your techno list
you