How to easily locate a specific TCP conversation in two separate (and large) packet captures using wireshark

wireshark

Occasionally, I'll need to compare packet captures (usually wireshark or tcpdump) that are collected from both sides of a TCP conversation. Sometimes the two hosts involved are very "chatty" so I'll need to narrow down the capture to just a specific session.

I'll usually do this by looking in the details column of wireshark for something that looks familiar, right-clicking on that packet, and selecting Follow TCP Stream. That's all well and good, but how can I find the same equivalent stream in the other packet capture? Does WireShark support searching for a stream ID of some sort?

Best Answer

Statistics, Conversations seems very similar to what you want, there you can do "Apply as filter" to the streams in there.

If you know the stream index number you can put in the filter: tcp.stream eq 5

You should check out ask.wireshark.org where I found:

How does Wireshark calculate the TCP stream index?

How can I view stream lists

Related Topic