Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

A so called TCP or UDP 'stream' is a representation of a transport layer connection between two nodes. These connections are defined by their network layer source and destination addresses and transport layer ports, and for TCP by their state.

Wireshark assigns an index number to each of these streams it sees. Therefore it looks at the addresses and port numbers and keeps record of this combination. If the combination is new it assigns the next index number, if it has been seen before it retrieves the index number for that steam. The index number is then added as a generated field to the transport layer.

An added complication is that TCP connections can reuse the same address and port combination for a different transport layer connection. This is because TCP is a connection oriented protocol. Therefore Wireshark also keeps track of TCP connection opening and closing (SYN, FIN/RST flags). UDP, being connection-less, does not provide for this.