Menu
Wireshark has a that feature called "follow tcp stream", under the menu item "Analyze".
When I use it, a screen capture filter is generated, something like:
tcp.stream eq 1
Where does this index come from?
I can't find any field in the packet that contains it...
589
the stream index is an internal Wireshark mapping to: [IP address A, TCP port A, IP address B, TCP port B] All the packets for the same tcp.stream value should have the same values for these fields (though the src/dest will be switched for A->B and B->A packets)
This feature allows you to follow a particular TCP conversation between two or more hosts. It finds all the TCP packets between a particular source and destination and reassembles the data that was transferred in that particular exchange into something parsable.
Adding the Stream Index column lets you see all of the packets from start to end of a session. In Wireshark, press Ctrl + Shift + P (or select edit > preferences). At the bottom, Click Add. Name the new column stream index.
When Wireshark processes the capture, it simply assigns the tcp stream index to each new TCP session it sees. If you look at the packet details of any TCP packet, any look at the TCP section, you will see "Stream index: nn" line, where nn is the stream.
the stream index is an internal Wireshark mapping to: [IP address A, TCP port A, IP address B, TCP port B]
All the packets for the same tcp.stream value should have the same values for these fields (though the src/dest will be switched for A->B and B->A packets)
see the Statistics/Conversations/TCP tab in Wireshark to show a summary of these streams
180
Stream indexes are Wireshark-internal. It just uses a number to uniquely identify a TCP stream.
34
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
