I have a display filter that correctly identifies the packets I'm interested in. What I would really like, though, is to display the entire TCP stream containing each of the matching packets. Is that possible? asked 27 Mar '14, 10:33  Insyte edited 27 Mar '14, 10:34 |
2 Answers:
Right click on any TCP packet in the stream and choose "Follow TCP stream" from the drop-down. A new window will open showing the two sides of the conversation, or you can look at the original window which is now filtered to show only the stream that was selected. answered 27 Mar '14, 12:22  griff My apologies for not being more clear, but what I'm trying to accomplish is for the packet list to display the matching packets and all of the other packets in the stream. For all of the matching packets and streams at once. I have thousands to review and manually interrogating each of them would be prohibitive. (27 Mar '14, 12:55) Insyte |
well, then do just that ;-))
Now, you will only see those conversations that the filtered frames are part of. Regards answered 28 Mar '14, 15:03  Kurt Knochner ♦ |
thousands to review? manually?
Well, maybe there is a better way. Please add more details what you are trying to do.
I have packet dumps of tens of thousands HTTP API calls inbound to our network. I am interested in reviewing a subset of those calls that are only identifiable based on the content of the POST. I would like to load those into the conversations dialog so I can quickly identify the ones that are slow (sort on the duration column) and try to figure out why they're slow.