This is a static archive of our old Q&A Site. Please post any new questions and answers at

displaying last N frames of all TCP streams


I'd like to write a filter that shows last 5 frames from all TCP streams in the capture (5 last frames from stream #1, 5 last frames from stream #2, ...). Is it possible? Thanks in advance!

asked 20 Jun '14, 18:58

sjlee's gravatar image

accept rate: 0%

edited 21 Jun '14, 19:40

Guy%20Harris's gravatar image

Guy Harris ♦♦

are you asking for a method during the capturing phase (question title) or during the analysis phase (question text, as I understand it)?

What exactly are you trying to do with those last 5 frames?

(21 Jun '14, 16:28) Kurt Knochner ♦

Thanks for the comment. I'm asking for a method during the analysis phase. I'd like to look at all the frames just prior to connections being closed.

(21 Jun '14, 17:47) sjlee

2 Answers:


You could write a Lua script to do this, if you want to automate it. You could either (1) write a Lua script to automatically build the appropriate display filter (i.e., a huge display filter of the correct frame numbers to display) and have the script also apply the filter, or (2) write a Lua script to create a new temporary pcap file of only the appropriate packets and have the script also load that temp file.

answered 24 Jun '14, 07:06

Hadriel's gravatar image

accept rate: 18%


There is a manual way to do it, but it will only work for a few connections. So, how many of those connections do you have to look at?

Unfortunately, there is no automatic way in the current code, so you'll either have to implement that yourself or use external tools.


answered 22 Jun '14, 04:38

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%

Thanks for the answer! In this particular case we're talking about hundreds of connections (otherwise I would have just looked at the conversations one by one).

(23 Jun '14, 08:15) sjlee

Since you have hundreds of connections you obviously need to automate this. If you are looking for an external tool that allows this kind of scripting, check out Unsniff. This blog post should help with your particular case

Hope this helps.

(24 Jun '14, 06:17) VIVEKRJG

Unsniff sounds real interesting. I'll check it out. Thanks!

(24 Jun '14, 08:28) sjlee