Following TCP streams

There will be occasions when you would like to see the data on a TCP session in the order that the application layer would see it. Perhaps you are looking for passwords in a Telnet stream, or perhaps you are trying to make sense of a data stream. If so, Ethereal's ability to follow a TCP stream will be useful to you.

Simply select a TCP segment on the stream/connection you are interested in and then select the Follow TCP Stream menu item from the Ethereal Tools menu. Ethereal will pop up a separate window with all the data from the TCP stream layed out in order, as shown in Figure 23.

You can then select to view the data in one of three formats:

1. ASCII. In this view you see the data from each end in ASCII, but alternating according to when each end sent data. Unfortunately, non-printing characters do not print.

2. EBCDIC. For the big-iron freaks out there.

3. HEX Dump. This allows you to see all the data, but you lose the ability to read it in ASCII.

Note! It is worthwhile noting that Follow TCP Stream installs a filter to select all the packets on the TCP stream you have selected.