How does Wireshark calculate the TCP stream index number? I'm used to seeing the first TCP packet in a trace file have a TCP stream index of 0. However, I have a trace file in which the first TCP packet has a TCP stream index of 6. There are 10,000 packets in the file, 5,619 of which are TCP. The TCP stream index numbers run from 6 to 196, with many gaps in the sequence. According to Statistic > Conversations, there are 37 TCP conversations in this file.
If I apply “tcp” as a display filter, save only the displayed packets, and then load this new trace file, the TCP stream index numbers range sequentially from 0 to 36 with no gaps.
Is there some reason why the presence of other non-TCP traffic in the trace file should cause the TCP stream index number to have gaps in the sequence? If this is not expected behavior, I'll file a bug report at bugzilla.wireshark.org.
asked 15 Jul '11, 12:48
It is something that bothered me too, but Sake (who implemented the stream index) gave me a perfect explanation for this: the stream index is shown only for TCP flows, but it is incremented with each conversation, even if it is a UDP conversation. If you take a closer look you'll see that the gaps between each TCP stream number have UDP conversations that "use" the hidden numbers (usually DNS request/answer pairs).
I don't remember the full details of why it is done this way but as far as I remember Sake had performance reasons, because otherwise he'd have to keep track of new TCP sessions starting while there already is a conversation counter that he could use for this.
answered 15 Jul '11, 13:01
Hi Jim, I was wondering if you could help me with interpreting some captures I did... I am very new to Wireshark and I got a doozy of a network issue on my hands. Thanks so much, Michael
answered 29 Mar '16, 09:19