I have a number of tcpdump traces. With one I could view the entire set of HTTP streams in "Follow TCP Stream", and the rest not. I'd like to be able to see all streams as in the first case and not sure how to make that happen. I tried various filters, e.g., 'tcp.stream ge 0', but it seems like wireshark would automatically reset to its own filter - 'tcp.stream eq 0' Any suggestions would be appreciated.
asked 23 Jan '13, 11:12
A little bit of tshark scripting is your friend:
... or expanded to a couple of lines for readability:
Which will result in one text file for each tcp stream :-)
(or you can use tcpflow of course)
answered 23 Jan '13, 13:13
edited 23 Jan '13, 17:43
You can't. Follow TCP Stream always shows only one TCP stream, so in order to see them all you have to look at them one after the other, you can't see them all at the same time.
The reason why you say that you could see an entire set of HTTP streams is probably because you've looked at a HTTP/1.1 connection that uses a persistent TCP stream to transfer multiple objects from a single server. As soon as you do non-persistent TCP streaming (for example, in HTTP/1.0 or if the server denies persistence), or if multiple TCP connections to various servers are needed you'll get one TCP stream per HTTP object - and then you can't see them all in one "Follow TCP Stream"-window.
answered 23 Jan '13, 11:53
edited 23 Jan '13, 11:54