There are times you may want to see only the details of a single traffic stream. An easy way to do this in Wireshark is to use the follow the stream option.

You must first select either a TCP or UDP conversation, right-click and select Follow, and then select the appropriate stream, either TCP, UDP, TLS, or HTTP.

For our example, in the display filter, enter tcp.stream eq 946. It will take a while to filter. Once complete, you will see the contents of the communication stream, which is a web page, as shown in the following screenshot:

Now that we have reduced the file to a more manageable size by using any of the above methods to subset traffic, the next step is to preserve the file in some way. You can simply save the file in the default .pcapng format, or in any of the many other formats that have been added and enhanced over the years.

As you can see, there are many ways to subset a file to a more practical size. After you have created a smaller file, you will most likely want to save the file to preserve your work. The following section provides various ways to save a file in Wireshark.