TCP session reconstruction

After you have collected the network traffic packets, you can reconstruct them according to the protocols they conform to. This allows you to analyse different Internet Protocols based on TCP streams, such as POP3 or HTTP.

First you need to capture some packets from the network, and then use this feature to reconstruct them into streams by selecting Capture - Reconstruct TCP Sessions in the main menu. All the packets in the buffer will be processed, and all the TCP flows will be displayed as shown in the screen shot:

Packets processed and TCP flows displayed

Toolbar buttons and their functions:

Save data flow Saves the captured data flow as a formatted text file (RTF) or as a raw data file that contains the data flow.
Change data flow direction Changes the selection of data flow between: client and server, client only or server only.
Change data flow display Changes the data display format between text and hexadecimal code, as shown below.
Seacrh Finds a search string in the displayed text.
Open web browser Opens the web browser window to view HTTP sessions as a web-page or image.
HTTP query in hexadecimal format
An example showing an HTTP query in hexadecimal format
Captured HTTP session rendered in web browser
An example of how a captured HTTP session could be rendered in a web browser window