http_google.pcap

One of Wireshark’s most satisfying analysis features is its ability to reassemble TCP streams into an easily readable format. Rather than viewing data being sent from client to server in a bunch of small chunks, the Follow TCP Stream feature sorts the data to make it easier to view. This comes in handy when viewing plaintext application layer protocols such as HTTP, FTP, and so on. (We’ll take a closer look at how these common protocols work in the next chapter.)

For example, let’s consider a simple HTTP transaction. Open the file http_google.pcap. Click any of the TCP or HTTP packets in the file, right-click the file, and choose Follow TCP Stream. This will bring up the TCP stream in a separate window (see ...