This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TCP streams in video capture

0

i am taking capture while i am watching video from youtube. i see lots of tcp streams i really wonder why there is lots of streams? is one video one stream?

thanks.

asked 11 May '16, 05:43

kutlant's gravatar image

kutlant
6113
accept rate: 0%


One Answer:

1

Your best bet would probably be to close youtube (and any other apps), restart your capture, and then look at the the streams that get started after you open up youtube and start up a video. You can find the beginning of these streams if you filter or search on TCP SYNs (tcp.flags.syn == 1). You will then have a better idea of what is related to your youtube usage.

answered 11 May '16, 07:31

ryber's gravatar image

ryber
146459
accept rate: 16%

thank you it really helps my observation. But the thing i dont understand, i am opening a video and start capturing packets. while this i see lots of streams which has different destination ip or same dest ip with first stream. what ignites this streams to start?

(11 May '16, 11:59) kutlant
1

What exactly means "lots"? When you open a web page, it may contain a lot of components which aren't necessarily stored at the same server (IP address) like the basic html text of the page, so your browser may easily have to open tens of tcp sessions to be able to rendering the page completely. And it rarely closes these sessions immediately after fetching the data, as reuse of already open sessions saves resources.

So you need to look which of the sessions remain open but actually transfer no data (except, in some cases, keepalives) and which keep transferring large bursts of data, or just transfer the biggest volume, and that one would be the video one (due to video advertising, you may have two big-volume sessions in the capture).

(11 May '16, 12:48) sindy
1

I agree with Sindy. If you are using firefox, you can hit F12 to get a developer console. If you go to the network tab, you can see every individual HTTP connection it makes in the course of loading the page. I have never used this with Youtube, but it is usually very helpful. There is also an Inspector tab that you can use to examine different elements of the page, which might also help.

If the requests are plain HTTP, you will be able to see what they are for in the packet capture. If they are encrypted over SSL, you won't be able to see much, but you will be able to see the server cert, which may point you to what the request is for.

(16 May '16, 09:50) ryber

thank you very much i really understand how stuff works

(17 May '16, 06:46) kutlant