When capturing traffic, Wireshark keeps track of all the streams. In a file the size of BigFlows.pcap, there will be many TCP and UDP streams. Although we can filter on any of the streams, for now, let's use TCP stream 312, as this includes the handshake, options, data, and then the FIN exchange to end the session.

To show only stream 312, go to the display filter and enter tcp. stream eq 312, and then press Enter. Because this is such a large file, it will take Wireshark several seconds to run the filter. Once you are done, you will see an example of a complete TCP stream, as shown here:

Now that we have a single isolated stream, we'll want to subset the capture and save it as a smaller file. To subset only TCP stream 312, go to File | Export Specified Packets.

This will open a dialog box that offers various ways to export specified packets, as shown in the graphic:

Near the bottom of the dialog box, you will see a header, Packet Range, where you will make your selections. If you have filtered the capture, Wireshark will assume that you would like to export only the displayed packets, and the radio button for Displayed will be active. 

Select All Packets and Displayed, as shown in the screenshot, and then save as Flow312.pcapng.

Close Bigflows.pcap and clear the display filter, and then open the newly created file. In the next section, let's zero in on the handshake and examine each of the packets exchanged.