This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is there any way to find the tcp stream number based on packet number?

0

Hi, I am wondering if i can follow the tcp stream when i have the packet number in tshark? For example, I only know packet 10 is a HTTP packet, and I want to follow the tcp stream of packet 10. Is there any way to do that?

asked 22 Oct '11, 19:33

timho1985's gravatar image

timho1985
1223
accept rate: 0%


2 Answers:

2

When Wireshark processes the capture, it simply assigns the tcp stream index to each new TCP session it sees. If you look at the packet details of any TCP packet, any look at the TCP section, you will see "Stream index: nn" line, where nn is the stream. To then filter on that stream, then just apply the display filter "tcp.stream eq nn" (nn being the stream from the packet you are interested. Of course this is just the hard way to do it, right-clicking on any TCP packet, and selecting Follow TCP stream, followed Filter out this stream does the same thing.

You could possibly write a LUA script that would take a give packet number, then determine the TCP stream wireshark has for that, and then filter out the stream. This hasn't been published by anyone to my knowledge.

answered 22 Oct '11, 21:42

martyvis's gravatar image

martyvis
8911525
accept rate: 7%

Thank you for your answer. I have tried and it works perfectly.

(01 Nov '11, 23:27) timho1985

0

You can display Stream Index column (which is TCP Stream number) In Packet Details > Transmission Control Protocol, find 'Stream Index' field, right click and select Apply as a Column

This answer is marked "community wiki".

answered 12 Apr '17, 21:01

evgenia's gravatar image

evgenia
6224
accept rate: 0%