wireshark_follow_stream
Reassemble and view complete network stream content from PCAP files with pagination, search, and multiple output formats to analyze protocols like TCP, UDP, TLS, HTTP, and HTTP2.
Instructions
[Stream] Reassemble and view complete stream content. Supports pagination to avoid token limits.
Args: stream_index: Stream ID from conversations/stats protocol: Stream protocol - 'tcp', 'udp', 'tls', 'http', 'http2' output_mode: Output format - 'ascii', 'hex', 'raw' limit_lines: Max lines to return (default: 500) offset_lines: Skip first N lines (for pagination) search_content: Optional string to grep/search within the stream
Returns: Reconstructed stream data or JSON error
Errors: FileNotFound: pcap_file does not exist InvalidParameter: Invalid protocol
Example: wireshark_follow_stream("traffic.pcap", stream_index=0, search_content="password")
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| pcap_file | Yes | ||
| stream_index | Yes | ||
| protocol | No | tcp | |
| output_mode | No | ascii | |
| limit_lines | No | ||
| offset_lines | No | ||
| search_content | No |