It can be very helpful to see a protocol in the way that the application layer sees it. Perhaps you are looking for passwords in a Telnet stream, or you are trying to make sense of a data stream. Maybe you just need a display filter to show only the packets in a TLS or SSL stream. If so, Wireshark’s ability to follow protocol streams will be useful to you.
Simply select a TCP, UDP, TLS, or HTTP packet in the packet list of the stream/connection you are interested in and then select the Follow TCP Stream menu item from the Wireshark Tools menu (or use the context menu in the packet list). Wireshark will set an appropriate display filter and pop up a dialog box with all the data from the TCP stream laid out in order, as shown in Figure 7.1, “The “Follow TCP Stream” dialog box”.
Tip | |
---|---|
Following a protocol stream applies a display filter which selects all the packets in the current stream. Some people open the “Follow TCP Stream” dialog and immediately close it as a quick way to isolate a particular stream. Closing the dialog with the “Back” button will reset the display filter if this behavior is not desired. |
The stream content is displayed in the same sequence as it appeared on the network. Traffic from A to B is marked in red, while traffic from B to A is marked in blue. If you like, you can change these colors in the “Font and Colors” page in the “Preferences” dialog.
Non-printable characters will be replaced by dots.
The stream content won’t be updated while doing a live capture. To get the latest content you’ll have to reopen the dialog.
You can choose from the following actions:
By default data from both directions is displayed. You can select the
to switch between both, client to server, or server to client data.You can choose to view the data in one of the following formats:
You can switch between streams using the “Stream” selector.
You can search for text by entering it in the “Find” entry box and pressing
.The HTTP/2 Stream dialog is similar to the "Follow TCP Stream" dialog, except
for an additional "Substream" dialog field. HTTP/2 Streams are identified by
a HTTP/2 Stream Index (field name http2.streamid
) which are unique within a
TCP connection. The “Stream” selector determines the TCP connection whereas the
“Substream” selector is used to pick the HTTP/2 Stream ID.
The QUIC protocol is similar, the first number selects the UDP stream index while the "Substream" field selects the QUIC Stream ID.