This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to only view streams, merging corresponding packets together

0

Is there a way to see only a list of streams, without every single packet separately, like in HttpFox, e.g.

HTTP localip:12345 -> www.example.org:80  GET /index.html
HTTP localip:12346 -> www.example.org:80  POST /example-form   a=b&x=y
SMTP localip:12347 -> mail.example.org:25 LOGIN user:password, MAIL: [email protected]example.org -> [email protected]example.org
SSH  localip:12348 -> ssh.example.org:22

And clicking on a stream should show the corresponding packets or the stream content.

I tried "follow tcp stream", but that shows only one, and "export objects\http", but that is only for http...

asked 28 Aug '12, 02:18

BeniBela's gravatar image

BeniBela
6113
accept rate: 0%


One Answer:

1

You can get a list of all conversations/streams by looking at the conversation statisticsin the statistics menu (and in the conversation list at the TCP tab), and look at individual streams by right-clicking on a line and applying a filter A <-> B.

If you want your packet list to show interesting stuff you'll need to build a more or less complicated filter. For example a simple "http.request.method" could show you the http requests, but you'd need to add similar filter expressions for all other protocols.

answered 28 Aug '12, 02:26

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 28 Aug '12, 02:27

That's nice. But why is it called "statistics"? It sounds like it only show some summaries. And why is the list cleared and regenerated, every time you select a filter/follow a stream? And it is annoying that you need to click/select 4 times to change the filter.

(28 Aug '12, 03:23) BeniBela

Probably because it is a statistical listing of conversations with bytes/packets/bps etc. I agree that the refiltering process is painful, but at the moment there is no way around it...

(28 Aug '12, 04:59) Jasper ♦♦

But the list does change. There is no need to refilter, if it is set to ignore the filters

(28 Aug '12, 05:53) BeniBela