Follow the tcp stream - Where does the Stream Index field come from?

Question

Follow the tcp stream - Where does the Stream Index field come from?

Wireshark has a feature called "follow tcp stream", under the "Analyze" menu item.

When I use it, a screen capture filter is created, for example:

tcp.stream eq 1

Where does this index come from?

I can not find any field in the package containing it ...

+6

wireshark packet packet-capture

pcent May 20, '11 at 19:47

source share

2 answers

Thread indices are internal Wireshark. It simply uses a number to uniquely identify a TCP stream.

+2

yan May 20, '11 at 19:49

source share

rupello · Accepted Answer · 2011-05-20T20:41:13+0000

the stream index is an internal Wireshark conversion for: [IP address A, TCP port A, IP address B, TCP port B]

All packets for the same tcp.stream value must have the same values for these fields (although src / dest will be switched for packets A-> B and B-> A)

see the Statistics / Conversations / TCP tab in Wireshark for a summary of these flows

Follow the tcp stream - Where does the Stream Index field come from?

More articles: