Re: Following streams across multiple files

[Martin Visser <martinvisser99 () gmail com>]

Not really.

You have two options though. One is simple to merge all of the capture files
and the use follow TCP stream then over that merged capture. But of course
the reason you have separate files might well be for size reasons, so
joining them might not be practical.

The second is for you to identify what makes a stream and use that. For a
stream (in a general sense) is identified by a tuple (a set) of the source
and destination IP addresses and TCP ports. In older versions of wireshark
when you did "Follow TCP stream" it would prepare a display filter with this
tuple and display it, as below

(ip.addr eq 192.168.0.118 and ip.addr eq 212.58.253.70) and (tcp.port eq
43047 and tcp.port eq 80)

Now if you then copied this display filter, and then opened a different
capture file it, it could then be used as a display filter to show the  same
stream.

Now in newer versions of Wireshark (I'm not sure exactly when this
appeared), when you "Follow TCP Stream", you now get a display filter
something like:-

tcp.stream eq 54

Now for most purposes this makes it easier to select and remember different
streams, the "tcp.stream" is a generated field that only has relevance to
the capture file loaded. Basically for every new TCP stream that wireshark
decodes (based on each unique source and dest IP and TCP port tuple) it
generates a new TCP stream. And of course each capture file will almost
certainly have different streams and probably appearing in different order.
The only easy way that I can see to create a display filter that references
a particular stream across different captures (in the newer Wireshark
versions)  is unfortunately going to need to be done manually and would
follow the first format I mentioned.



Regards, Martin

MartinVisser99 () gmail com


On Sat, Oct 10, 2009 at 12:01 PM, Ray Simard <rhs.wshark () sylvan-glade com>wrote:

> Is there a way to follow a TCP (or other) stream over a file set?  This
> feature is completely new to me so I'm not well versed in it, but I
> haven't seen anything about it in the docs so far.
>
> I've been able to assemble streams from multiple files by saving them
> separately and then concatenating them, using IP addresses and port
> number to identify them, but if there's an easier way I'd love to find
> out about it.
>
> Thanks,
> Ray
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request () wireshark org
> ?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe