This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi, I am wondering if i can follow the tcp stream when i have the packet number in tshark? For example, I only know packet 10 is a HTTP packet, and I want to follow the tcp stream of packet 10. Is there any way to do that?

asked 22 Oct '11, 19:33

timho1985's gravatar image

timho1985
1223
accept rate: 0%


When Wireshark processes the capture, it simply assigns the tcp stream index to each new TCP session it sees. If you look at the packet details of any TCP packet, any look at the TCP section, you will see "Stream index: nn" line, where nn is the stream. To then filter on that stream, then just apply the display filter "tcp.stream eq nn" (nn being the stream from the packet you are interested. Of course this is just the hard way to do it, right-clicking on any TCP packet, and selecting Follow TCP stream, followed Filter out this stream does the same thing.

You could possibly write a LUA script that would take a give packet number, then determine the TCP stream wireshark has for that, and then filter out the stream. This hasn't been published by anyone to my knowledge.

permanent link

answered 22 Oct '11, 21:42

martyvis's gravatar image

martyvis
8911525
accept rate: 7%

Thank you for your answer. I have tried and it works perfectly.

(01 Nov '11, 23:27) timho1985

You can display Stream Index column (which is TCP Stream number) In Packet Details > Transmission Control Protocol, find 'Stream Index' field, right click and select Apply as a Column

permanent link
This answer is marked "community wiki".

answered 12 Apr '17, 21:01

evgenia's gravatar image

evgenia
6224
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×752
×248
×82

question asked: 22 Oct '11, 19:33

question was seen: 17,006 times

last updated: 12 Apr '17, 21:01

p​o​w​e​r​e​d by O​S​Q​A