Unleashing Wireshark’s Powerful Follow TCP Stream Feature

In security courses such as Learning Tree’s System and Network Security Introduction, we often hear about the insecurity of protocols such as Telnet. These older protocols send their data – including login credentials – over the network in the clear. While ssh, a secure alternative to Telnet, is used in many applications today, many sites still use telnet for some applications. Indeed, many participants in security classes I teach don’t understand the security issue. So in this post, you will see the issue of Telnet’s insecurity.

We’ll look at the telnet-raw.pcap file from the Sample Captures section of the Wireshark wiki. I scrolled through the capture until I found the first Telnet Data frame with actual data from the conversation:

Capture of server ID

Note that this is the server identifying itself to the client.

After scrolling past the login prompt, I found the first character of the username:

Character f

I could have continued scrolling through the username, its echo, the password prompt, and each character of the password so I could retrieve the user’s login credentials. Looking through the trace packet-by-packet is time-consuming, tedious, and prone to error. Fortunately, Wireshark provides us with a shortcut in the form of the Follow TCP Stream feature. You can reach this feature via the Analyze -> Follow -> TCP Stream menu item. When you select that menu item a window appears showing both sides of the TCP stream data:

Whole stream capture

If you look closely at that window (you may need to enlarge it), you’ll see that the text is in two colors: red and blue. Blue is the data from the server to the client (e.g. the login: prompt) and red is the data from the client to the server. A user can change those colors in Wireshark’s settings.

Username and password

Notice that the username is echoed back to the user, but the password is not. Also, notice that we can see the login credentials in the clear! The dots or periods before the username represent Telnet protocol negotiations such as those required to turn user echo off for the password and back on for the remainder of the session.

You can look at this and other traces yourself in Wireshark. If you haven’t already:

  • Download Wireshark and install it
  • Go to the link above for the wiki and look through the list of sample captures and select one that interests you
  • Download the file and open it in Wireshark with File -> Open
  • You can scroll through the packets and examine the protocol details

Follow TCP Stream is a powerful feature of Wireshark and if you use Wireshark, you are likely to use it often. It is useful not only for learning about and debugging protocols but also for examining data for security purposes.

In future posts, we’ll look at this and other Wireshark features.

To your safe computing,
John McDermott

image sources

  • server-id: John McDermott
  • first-char-of-user-name: John McDermott
  • whole-stream: John McDermott
  • username-and-password: John McDermott

Type to search blog.learningtree.com

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.