Observer Analyzer : Observer Analyzer : Expert Analysis : Reconstructing TCP data streams
Reconstructing TCP data streams
Prerequisite: Observer Expert or Observer Suite
When analyzing a previously-saved buffer that includes TCP communications, you can right click any such communication from the decode, connection dynamics, or TCP Events displays and choose Reconstruct Stream or TCP Dump from the popup menu.
Note: Stream reconstruction can only be performed post-capture.
Both Reconstruct Streams and TCP Dump show you the stream, but they do show in different manners. If you need a quick view of the stream, choose Reconstruct Streams. If what you need is not available there and you need to dig deeper into the stream, choose TCP Dump.
The streams that Observer can reconstruct are:
DAAP (iTunes sharing)
FTP
HTML
HTTP
IMAP4
NNTP
POP3
RTSP (streaming audio/video)
Shoutcast (streaming audio)
SMTP
Telnet
WMPNSS (Windows Media Player sharing)
Note: Several media codecs are supplied with Observer so that Observer can reconstruct numerous media types. If you have an application that uses a codec that is not part of Observer, you can still reconstruct that media stream if the codec is installed on the analyzer system. Before reconstructing a media file Observer searches its own list of codecs. If it does not find a suitable codec, it searches the Windows system for one. If it finds one, you can reconstruct the stream. For a list of supported codecs and protocols, see Protocols supported by Observer.