Wireshark provides the feature of reassembling a stream of plain text protocol packets into an easy-to-understand format.

Figure 3.18: Follow TCP Stream window

For instance, assembling an HTTP session will show you the GET requests sent from the client and the responses received from the server accordingly. There is specific color coding that is followed by the requests and responses shown in the Follow TCP stream dialog. Any text in red color denotes a request that a client has sent, and any text in blue color denotes the response received from the server. If the protocol is HTTP, then you can view almost everything in plain text; if the protocol is HTTPS, then most of the things will be encrypted, hence giving ambiguous text on the screen (there is a way to decrypt HTTPS traffic too, which we will discuss in the upcoming chapters). The Follow TCP stream option can be of great help while troubleshooting any HTTP session, which is the same with most of the application layer protocols.

At the bottom of the dialog, you have a drop-down menu from where you can choose to view either side of communication or you can choose the entire communication, consisting of requests and responses that are shared between the client and the server at the same time. Instead of just viewing the data in RAW format, you can choose between ASCII, EBCDIC, Hex dump, and C arrays format.

If you wish to save the content shown in the dialog, then click on Save as, which will save the content in a simple text format. Similarly, to print, you can click on Print. And if you want to view everything except the Follow TCP stream packets that you are viewing currently, then click on Filter out this stream. To close the dialog, click on Close.

To view the TCP stream, follow these steps:

Following the preceding steps gives a simple view of viewing data. Now, figuring out who initiated the connection will be quite easy.