This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How can I view stream lists

1

I like to see the list of TCP streams from my packet capture. Something like this:

Source     Dest    Prot Port Start        End
1.1.1.1 -> 2.2.2.2 TCP   445 12:00:00.000 12:00:03.000
1.1.1.1 -> 3.3.3.3 TCP    80 12:00:04.000 12:00:05.000
1.1.1.1 -> 2.2.2.2 TCP   445 12:00:07.000 12:00:09.000 (a different stream than the first)
I looked at Statistics/FlowGraphs, but that seems to show all the SYN/ACK details in each stream (too much information to go though). I looked at Statistics/ConversationList, but that appears to combine the first and the third in the example above (not enough information).

This would be so I can document the traffic going between my application servers. For instance: workstation A talks to server B, which starts server B talking to server C, etc. Is there a way to do this in Wireshare, or am I incorrect in my assumptions? Thanks!

asked 13 Sep '11, 15:14

Chris's gravatar image

Chris
16113
accept rate: 0%

edited 13 Sep '11, 23:17

Jaap's gravatar image

Jaap ♦
11.7k16101


One Answer:

2

The functionality that matches your request the most is "Statistics -> Conversations" and then the TCP tab, it will show you the details of every single TCP session in the tracefile.

If you need the output to be exactly like the table you included in your question, then you would need to do some scripting or programming yourself. You can either use LUA within Wireshark or use tshark with some shell scripting (or perl or ...).

answered 13 Sep '11, 23:50

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thanks! That is what I was looking for. I copied it from there to Excel after that for further analysis. It looks like your suggestion will reduce my work from looking at 100,000 packets to looking at 1,000 conversations :).

(14 Sep '11, 14:12) Chris