Follow TCP stream only shows one side of the conversation - why?
Hi,
I was filtering a TCP conversation with wireshark, and in the packet view I can clearly see requests and responses between two sockets - this is on loopback traffic capture. But when I select "Follow > TCP Stream" I only see the outbound stream (red), not the inbound (blue). I tried multiple times, also with other streams, restarted wireshark.
How do I fix this? [edit] Here is the recorded TCP conversation. open it with Wireshark, then try for yourself (Using Wireshark 3.6.7 Windows 11 64bit) https://drive.google.com/file/d/1USJx...
Can you add a column for
tcp.streamand verify inbound/outbound are the same stream number.Thanks, done that, the stream Id is consistently the same. I did an export of selected packets and reopened it in wireshark, the problem persists. I can share the exported stream for testing on your side, if you tell me how ...
Place it on a public file share such as Google, Onedrive or Dropbox then update the question with a link to the file.
It would be rather weird if both ways are identified with the same tcp stream. What version of wireshark are you running?
I have cases where I have to manually combine streams due to the way the capture takes place on a device performing NAT. so outbound shows the NATted source just as inbound but if you get both sides AFTER NAT then it's not the same stream according to wireshark. but it is always clear.
Filtering on an OR with both stream numbers solves that issue.
Hi, Hugo, Each TCP connection comes with bidirectional datastream. NAT is not involved here, two localhost ports are talking to each other. They do and I see it in the recorded packets. Just not in the Follow TCP stream window, where one direction is supposed to be red and the other blue. Blue is missing.