This is our old Q&A Site. Please post any new questions and answers at

Hi, I am searching for a specific xml data string and the pointer finds the specific packet number. Then I right click "follow tcp stream" and don't find it (I am not talking about while it is written in "white"). Then I look at tcp data segment window below, and find it! My question is why parts of the xml are written in the follow tcp stream window and some are not (and are only available at the tcp data segment window)? BR, Yuval Sivan.

asked 30 May '11, 03:13

yuvalsivan's gravatar image

accept rate: 0%

Could it be that the XML object was compressed when it was sent over HTTP? The HTTP dissector is able to decompress the object, while "Follow TCP Stream" does just that, it shows you the raw data sent over TCP.

permanent link

answered 01 Jun '11, 23:23

SYN-bit's gravatar image

SYN-bit ♦♦
accept rate: 20%

Sadly, wireshark's capabilities are quite limited when working with tcp streams, especially those that are compressed. You can decompress the stream using tcpflow, however.

permanent link

answered 01 May '13, 11:25

bhh's gravatar image

accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 30 May '11, 03:13

question was seen: 5,925 times

last updated: 01 May '13, 11:25

p​o​w​e​r​e​d by O​S​Q​A