Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] follow stream by tcp sequence numbers?

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 14 Jul 2008 16:14:00 -0700

On Jul 14, 2008, at 9:01 AM, Fender, Brian wrote:

I'm trying to debug a problem where a small percentage of certain HTTP transactions are being reset unexplainably. There is a load balancer between the client and server performing source NAT, plus other network devices along the route. I reproduced the problem while capturing with tcpdump from the client, loadbalancer, and server in parallel. I merged all three captures together and am trying to isolate individual bad requests across all three viewpoints. It seems that "Follow TCP Stream" only looks at ip and port numbers,

I.e., it follows the TCP stream, defined by the endpoints of the TCP connection.

so it only the portion of the transaction up to address translation.

Is there any way to isolate a transaction based on TCP sequence numbers only (or any other reliable method you might know of)?

You can find all TCP packets with a given range of sequence numbers with, for example:

	tcp.seq >= 358236700 && tcp.seq <= 358236800

but that will, in effect, find only one side.