How to use "Follow TCP stream" for specific packets in Wireshark?

0
votes

I'm trying to build my filter in Wireshark to filter out unwanted packets. Currently filter looks like:

!(http.request.method == POST) && !(http or frame contains "aa" || http or frame contains "bb") && !(http.response.code == 404 or http.response.code == 301 or http.response.code == 302 or http.response.code == 303)

which means: "show any traffic except: packets with a HTTP POST method and packets with payload contains strings "aa" or "bb" and packets with response codes 404 or 301 or 302 or 303"

And from my standpoint this filter works correctly and many packets is filtered out and I'm able to see only the most important packets. But now I would like to use "Follow TCP stream" on remaining most important packets. When I'm trying use "Follow TCP stream" option then wireshark is looking for TCP stream from whole pcap file instead of the most important packets after filtering.

Summarizing I don't want do "Follow TCP stream" for filtered out packets, just for remaining packets after filtering.

How I can resolve this issue?

2
tcpfilterwireshark

2 Answers

0
votes

"Follow TCP Stream" can only follow an entire TCP connection; it cannot show only data from selected packets from that connection. If you want the ability to show data from some but not all packets in a TCP connection, you would have to request that as an enhancement on the Wireshark Bugzilla.

As a workaround, you might be able to save the remaining packets to a file and open that file, and then try "Follow TCP Stream" on the packets in that file.

0
votes

Unfortunately You can only "Follow TCP Stream" an entire TCP Connection, with all the packets from the connection.

The only avaiable filtering on TCP Stream is the ability to see a specific direction of a TCP:

  • From A -> B
  • From B ->A

this option can be selected at the "Follow TCP Stream" dialog box.