One of Unicorn’s most satisfying analysis features is its ability to reassemble TCP streams into an easily readable format. Rather than viewing data being sent from client to server in a bunch of small chunks, the Follow TCP Stream
feature sorts the data to make it easier to view. This comes in handy when viewing plaintext application layer protocols such as HTTP, FTP, and so on. (We’ll take a closer look at how these common protocols work in the next chapter.)
For example, let’s consider a simple HTTP transaction. Lunch the Unicorn and start a new project. To access a web, e.g. www.net-analyzer.com. Then switch to conversations tab and select a HTTP conversation, double-click the conversation selected to display the conversation detail window. See figure below. The detail includes three tab, we chose the Payload tab.
Figure 5-9: The Follow TCP Stream window reassembles the communication in an easily readable format.
Notice that the text displayed in this window is in two colors. The green text is used to signify traffic from the source to the destination, and the blue text is used to identify traffic in the opposite direction, from the destination to the source. The color relates to which side initiated the communication. For instance, in our example, the client initiated the connection to the web server, so it is displayed in green.
Given this TCP stream, you can clearly see a great majority of the communication between these two hosts. This communication begins with an initial GET request for the web root director (/) and a response from the server that the request was successful in the form of an HTTP/1.1 200 OK. A similar pattern is repeated throughout the stream as individual files are requested by the client and the server responds with them. You are seeing a user browsing to the Ax3soft home page. You’re actually seeing what the end user is seeing, but from the inside out.
In addition to viewing the raw data in this window, you can also search within the text, save it as a file or print it.
Following TCP streams will become your best friend when dealing with certain protocols.