i am using wireshark Version 1.6.4. i have following questions regarding the stream numbers in wireshark :
1) why is it that tcp streams use numbers while udp streams don't ? (when i do "follow tcp stream" it shows say "tcp.stream eq 2" but it is not the same when i do "follow udp streams)
2) i go to conversations and i want to save some selected flows (tcp or udp or both) in a separate pcap file. i thought of using some filter like (tcp.stream eq 4 || tcp.stream eq 2 || udp.stream eq 1) if i want to save 2 tcp flows for these two streams and one udp flow in a separate pcap file. Now the issue with this approach is that conversation window doesn't show up the stream no's & further udp streams don't have the stream no. Also i need to go to conversation window first to see which tcp flows to save (say i want to save some flows having maximum bytes exchange) and then select that flow to see its stream number and so on for other flows as well. This is very inconvenient and time consuming. Is there some better way to do this.
any help will be greatly appreciated. thanks a lot.
2 Conversations Window
-right-click a tcp or udp stream and select "Prepare a Filter" | "Selected" | "A <-> B"
You can see the Display Filter in the Filter Toolbar
-right-click another tcp or udp stream and select "Prepare as Filter" | "... or Selected" | "A <-> B"
-right-click the last tcp or udp stream and select "Apply as Filter" | "... or Selected" | "A <-> B"
Next you can save those 3 streams in a separate capture file.