This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How do I view all streams in “Follow Tcp Streams?"

0

I have a number of tcpdump traces. With one I could view the entire set of HTTP streams in "Follow TCP Stream", and the rest not. I'd like to be able to see all streams as in the first case and not sure how to make that happen. I tried various filters, e.g., 'tcp.stream ge 0', but it seems like wireshark would automatically reset to its own filter - 'tcp.stream eq 0' Any suggestions would be appreciated.

Anh

asked 23 Jan '13, 11:12

anguyen2548's gravatar image

anguyen2548
1111
accept rate: 0%


2 Answers:

2

A little bit of tshark scripting is your friend:

END=$(tshark -r http.pcap -T fields -e tcp.stream | sort -n | tail -1); for ((i=0;i<=END;i++)); do echo $i; tshark -r http.pcap -qz follow,tcp,ascii,$i > follow-stream-$i.txt;done

... or expanded to a couple of lines for readability:

END=$(tshark -r ../pcap/http.cap -T fields -e tcp.stream | sort -n | tail -1)
for ((i=0;i<=END;i++))
do
    echo $i
    tshark -r ../pcap/http.cap -qz follow,tcp,ascii,$i > follow-stream-$i.txt
done

Which will result in one text file for each tcp stream :-)

(or you can use tcpflow of course)

answered 23 Jan '13, 13:13

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

edited 23 Jan '13, 17:43

Great answers, and easily script-able. However I want to send all streams to ascii file (in tshark) because the above script takes a very long time to perform the action for the number of streams I am looking at (and reading from the FS each time for a new stream is most likely the bottleneck). Performing this action should be much faster in the tshark process, however I can't vouch for how easy it would be to code.

The -follow flag was probably not meant to see all streams... I'm betting it makes use of a tshark search function to find the datum it is looking to work with. Given I want to print streams to ascii and potentially create statistics on all streams, I imagine I should alter the code. Is there a good flag anyone might suggest as a starting point for my alterations?

(25 Feb '14, 09:55) dbavedb

0

You can't. Follow TCP Stream always shows only one TCP stream, so in order to see them all you have to look at them one after the other, you can't see them all at the same time.

The reason why you say that you could see an entire set of HTTP streams is probably because you've looked at a HTTP/1.1 connection that uses a persistent TCP stream to transfer multiple objects from a single server. As soon as you do non-persistent TCP streaming (for example, in HTTP/1.0 or if the server denies persistence), or if multiple TCP connections to various servers are needed you'll get one TCP stream per HTTP object - and then you can't see them all in one "Follow TCP Stream"-window.

answered 23 Jan '13, 11:53

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 23 Jan '13, 11:54