Wireshark has a that feature called "follow tcp stream", under the menu item "Analyze".
When I use it, a screen capture filter is generated, something like:
tcp.stream eq 1
Where does this index come from?
I can't find any field in the packet that contains it...
the stream index is an internal Wireshark mapping to: [IP address A, TCP port A, IP address B, TCP port B]
All the packets for the same tcp.stream value should have the same values for these fields (though the src/dest will be switched for A->B and B->A packets)
see the Statistics/Conversations/TCP tab in Wireshark to show a summary of these streams
Stream indexes are Wireshark-internal. It just uses a number to uniquely identify a TCP stream.
Besides having same source and destination IPs and ports, packages within a stream conform a whole open-transmit-close communication sequence. So I guess Wireshark internally creates a new stream ID when SYN-ed package arrives and keeps track of all packages in this dialogue until both ends finish it (FIN/RST flags).
Filtering packages with tcp.stream filter is very useful to analyze a particular sequence.
