Hi, I am wondering if i can follow the tcp stream when i have the packet number in tshark? For example, I only know packet 10 is a HTTP packet, and I want to follow the tcp stream of packet 10. Is there any way to do that?
asked 22 Oct '11, 19:33
When Wireshark processes the capture, it simply assigns the tcp stream index to each new TCP session it sees. If you look at the packet details of any TCP packet, any look at the TCP section, you will see "Stream index: nn" line, where nn is the stream. To then filter on that stream, then just apply the display filter "tcp.stream eq nn" (nn being the stream from the packet you are interested. Of course this is just the hard way to do it, right-clicking on any TCP packet, and selecting Follow TCP stream, followed Filter out this stream does the same thing.
You could possibly write a LUA script that would take a give packet number, then determine the TCP stream wireshark has for that, and then filter out the stream. This hasn't been published by anyone to my knowledge.
answered 22 Oct '11, 21:42