Wireshark mailing list archives
Re: How source and destination is identified in Wireshark?
From: Berkay Celik <argusflow () gmail com>
Date: Mon, 24 Jan 2011 23:18:50 -0500
Guy, thanks for the answer but i'm not satisfied. When you get the conversation list using the tshark, even if there are partial conversations (no Syn or 3-way handshake is not observed) commonly tshark gives the correct results, i need more detail or reference to delve into this topic which i will use for packet analysis in my program...
thanks. On 1/24/2011 10:55 PM, Guy Harris wrote:
On Jan 24, 2011, at 7:31 PM, Berkay Celik wrote:If there is a syn bit set seen from an endpoint, this is the source.Presumably you mean "if there is a SYN bit, *and no ACK bit*, seen from an endpoint, this is a packet coming from the machine trying to start the TCP connection" (i.e., that by "source" you mean the machine that's trying to start the connection, and that this applies only to the initial SYN, not the the SYN+ACK you get back from the machine to which you're trying to connect).I am curious about if wireshark defines in some other waysDoes Wireshark even define the "source" and "destination" of a TCP connection? A packet trace might not have the three-way handshake, so it might not be possible to determine, at the TCP layer, what the source and destination of a connection are.Wireshark *does* identify the source and destination of a packet at various layers, including the IP layer, but those are defined fairly straightforwardly by the protocol.or only the syn bit is enough to identify the source and destination?*If* you see either the initial SYN or the SYN+ACK, that's sufficient to identify the "source" and "destination" of a TCP connection, where "source" is "the endpoint that tried to connect" and "destination" is "the endpoint to which the connection was attempted". For other transport layers, there might be other definitions, or there might not be any definition of "source" and "destination" at the transport layer (consider UDP, for example).Secondly,if my traces has are partial conversations, not any syn bit is seen, which one is the source and destination? port numbers can be used to determine them but what if both port numbers makes sense.If both port numbers make sense as the "server" port number, then there is absolutely no way to determine, at the transport layer, which endpoint is the "source" ("client") and which endpoint is the "destination" ("server"). That would have to be determined at a higher layer, for example at the layer of the protocol running *atop* TCP - a request packet is presumably going from "source"/"client" to "destination"/"server", and a response packet is presumably going the other way.Of course, if a protocol is peer-to-peer, so that *either* side can send a request or reply to a request, even that won't work.___________________________________________________________________________ Sent via: Wireshark-users mailing list<wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- How source and destination is identified in Wireshark? Berkay Celik (Jan 24)
- Re: How source and destination is identified in Wireshark? Guy Harris (Jan 24)
- Re: How source and destination is identified in Wireshark? Berkay Celik (Jan 24)
- Re: How source and destination is identified in Wireshark? Martin Visser (Jan 24)
- Re: How source and destination is identified in Wireshark? Guy Harris (Jan 28)
- Re: How source and destination is identified in Wireshark? Guy Harris (Jan 28)
- Re: How source and destination is identified in Wireshark? ronnie sahlberg (Jan 28)
- Re: How source and destination is identified in Wireshark? Andrew Hood (Jan 28)
- Re: How source and destination is identified in Wireshark? Guy Harris (Jan 28)
- tcp.time_delta column with tshark vincent paul (Jan 29)
- Re: tcp.time_delta column with tshark j.snelders (Jan 29)
- Re: tcp.time_delta column with tshark Sake Blok (Jan 29)
- Re: tcp.time_delta column with tshark j.snelders (Jan 29)
- Re: How source and destination is identified in Wireshark? Berkay Celik (Jan 24)
- Re: How source and destination is identified in Wireshark? Guy Harris (Jan 24)