How to "follow http stream" for single line in wireshark?

asked 2018-05-03

Royi

I'm using wireshark to capture network traffic ( http).

Current filter is :

ip.dst== and http and ip.src==

I already see the filtered http request and response:



I want to see the (HTTP) request and response ,
So I was told to "follow tcp/http stream".

And so I did - right click on the last row :



But the problem is that I see all the Http requests (not only the one I selected):




How can I see the http request only for the selected row ?

answered 2018-05-03

Shan

updated 2018-05-03

At a glance, I can't find any easy/easier way to do this. See below:

Right click on the packet(s) you're interested in and mark them. Then go to File > Export Specified Packets > Select the radio button "Marked Packets". The result is a capture file with only the marked packet(s). From there you can select follow TCP stream and you'll have it isolated to what you're interested in. This solution doesn't scale very well, but for grabbing/analyzing a few packets it works fine. Additionally, you can click around in the ASCII breakdown of the stream and Wireshark will select the related packet in the decode pane.

Thanks for reply. I did what you told me to do , but "export specified packets" is disabled ...


Royi ( 2018-05-03 )

The only thing I can think of that is causing an issue is that you have a capture running while trying to perform the export. Can you try stopping the capture, and then exporting? Let me know if that helps.

Shan ( 2018-05-03 )

