Follow tcp stream - Where does field "Stream index" come from?

packet wireshark packet-capture
pcent picture pcent · May 20, 2011 · Viewed 24.7k times · Source

Wireshark has a that feature called "follow tcp stream", under the menu item "Analyze".

When I use it, a screen capture filter is generated, something like:

tcp.stream eq 1

Where does this index come from?

I can't find any field in the packet that contains it...

Answer

rupello picture rupello · May 20, 2011

the stream index is an internal Wireshark mapping to: [IP address A, TCP port A, IP address B, TCP port B]

All the packets for the same tcp.stream value should have the same values for these fields (though the src/dest will be switched for A->B and B->A packets)

see the Statistics/Conversations/TCP tab in Wireshark to show a summary of these streams

Related questions

How to find the packet loss in Wireshark?

I need to test packet loss for an FTP application. I used the Wireshark packet sniffer, and I got TCP Stream. How do I find the packet loss using Wireshark?

Read More
iPhone and WireShark

How can I sniff packets from my iPhone on my network? can someone give me some instructions? I tried Googling, but nothing teaches how to sniff iPhone packets、 I am on windows.

Read More
Capture incoming traffic in tcpdump

In tcpdump, how can I capture all incoming IP traffic destined to my machine? I don't care about my local traffic. Should I just say: tcpdump ip dst $MyIpAddress and not src net $myIpAddress/$myNetworkBytes ... or am I missing something?

Read More