The Follow Stream feature lets you view the complete conversation between two endpoints in a single, readable window. It reassembles packets into a continuous data stream, making it easier to understand what was exchanged—especially for text-based protocols like HTTP, SMTP, FTP, or IRC.
This is useful when investigating data exfiltration, chat sessions, login attempts, or any kind of back-and-forth communication over TCP or UDP.
How to Use Follow Stream
To view a stream:
- Select a relevant packet
- Right-click the packet
- Choose:
Follow → TCP Stream (or UDP Stream)This opens a separate window showing all data exchanged in that session, color-coded by sender and receiver.
Features of the Stream Window
- Readable format: Shows content as ASCII, Hex, or raw data
- Directional colors: Different colors for client/server traffic
- Filter option: Stream can be isolated using a filter like
tcp.stream eq 3 - Export capability: Save the session contents to a file
You can also switch between different streams using the stream index number.