The first column I add to every one of my custom Wireshark profiles is a "stream" column - a single column that indicates the index number of each TCP and UDP stream in the trace file.
What is a Stream?
A stream is essentially a socket-to-socket conversation. When you open the Statistics > Conversations window and click on either the TCP or UDP tab, you are looking at streams.
How Does it Help during Analysis?
So many conversations are intertwined in our trace files. This one column can help quickly distinguish between conversations. In addition, you can click and drag any row of this new column to the display filter area for a fast conversation filter.
Wireshark counts TCP and UDP streams separately, putting the stream number in a tcp.stream and udp.stream fields inside each header.
The TCP Stream Index Field
The TCP stream index field is located below the TCP port fields in the TCP header. Click and drag this field up to the Packet List pane column heading area.
The UDP Stream Index Field
The UDP stream index field is located directly below Wireshark's Checksum Status field.
You already created a TCP stream index column - now you are going to add UDP streams to that column. Right-click on your TCP stream index column header and select Edit Column. In the Fields area, add || udp.stream to your existing column field.
Your final column should be based on tcp.stream || udp.stream.
Use Your New Stream Index Column
Now as you are working away in trace files, that new column will help you differentiate the various conversations that are intertwined. In the image below, we can see we have a lot of UDP conversations and just a few TCP conversations so far in the trace file.
If we want to apply a quick filter to focus on a conversation, we can simply click and drag any stream index number listed up to the display filter area.
Consider building a profile that contains your favorite default settings (columns, buttons, filters, etc.). When you make a new profile, use that one as your template. Just copy that profile and rename your copy. That's a quick way to ensure new profiles have your favorite settings.
Enjoy!
Comments