Wireshark mailing list archives
Re: How source and destination is identified in Wireshark?
From: Martin Visser <martinvisser99 () gmail com>
Date: Tue, 25 Jan 2011 16:26:09 +1000
Berkay, Each IP packet has a source and destination IP address. When using "tshark -z conv,ip" you get output something like as follows IPv4 Conversations Filter:<No Filter> | <- | | -> | | Total | | Frames Bytes | | Frames Bytes | | Frames Bytes | 1.1.1.1 <-> 2.2.2.2 9 1746 9 594 18 2340 So ..... 9 and 1746 refer to traffic from 2.2.2.2 being sent to 1.1.1.1 9 and 594 refers to traffic from 1.1.1.1 being sent to 2.2.2.2 and 18 & 2340 is simply the sum of the two. (For "tshark -z conv,tcp" you simply get a conversation per port & IP pair TCP Conversations Filter:<No Filter> | <- | | -> | | Total | | Frames Bytes | | Frames Bytes | | Frames Bytes | 1.1.1.1:60838 <-> 2.2.2.2:ssh 7 1358 7 462 14 1820 So, I'm not sure what question you need answered. Obviously tshark must decide to display the conversation as "1.1.1.1:60838 <-> 2.2.2.2:ssh" or " 2.2.2.2:ssh <-> 1.1.1.1:60838". To be honest it is pretty arbitrary in my opinion, but from what it seems , it is just based on the first packet seen. Regards, Martin MartinVisser99 () gmail com On 25 January 2011 14:18, Berkay Celik <argusflow () gmail com> wrote:
Guy, thanks for the answer but i'm not satisfied. When you get the conversation list using the tshark, even if there are partial conversations (no Syn or 3-way handshake is not observed) commonly tshark gives the correct results, i need more detail or reference to delve into this topic which i will use for packet analysis in my program... thanks. On 1/24/2011 10:55 PM, Guy Harris wrote: On Jan 24, 2011, at 7:31 PM, Berkay Celik wrote: If there is a syn bit set seen from an endpoint, this is the source. Presumably you mean "if there is a SYN bit, *and no ACK bit*, seen from an endpoint, this is a packet coming from the machine trying to start the TCP connection" (i.e., that by "source" you mean the machine that's trying to start the connection, and that this applies only to the initial SYN, not the the SYN+ACK you get back from the machine to which you're trying to connect). I am curious about if wireshark defines in some other ways Does Wireshark even define the "source" and "destination" of a TCP connection? A packet trace might not have the three-way handshake, so it might not be possible to determine, at the TCP layer, what the source and destination of a connection are. Wireshark *does* identify the source and destination of a packet at various layers, including the IP layer, but those are defined fairly straightforwardly by the protocol. or only the syn bit is enough to identify the source and destination? *If* you see either the initial SYN or the SYN+ACK, that's sufficient to identify the "source" and "destination" of a TCP connection, where "source" is "the endpoint that tried to connect" and "destination" is "the endpoint to which the connection was attempted". For other transport layers, there might be other definitions, or there might not be any definition of "source" and "destination" at the transport layer (consider UDP, for example). Secondly, if my traces has are partial conversations, not any syn bit is seen, which one is the source and destination? port numbers can be used to determine them but what if both port numbers makes sense. If both port numbers make sense as the "server" port number, then there is absolutely no way to determine, at the transport layer, which endpoint is the "source" ("client") and which endpoint is the "destination" ("server"). That would have to be determined at a higher layer, for example at the layer of the protocol running *atop* TCP - a request packet is presumably going from "source"/"client" to "destination"/"server", and a response packet is presumably going the other way. Of course, if a protocol is peer-to-peer, so that *either* side can send a request or reply to a request, even that won't work. ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- How source and destination is identified in Wireshark? Berkay Celik (Jan 24)
- Re: How source and destination is identified in Wireshark? Guy Harris (Jan 24)
- Re: How source and destination is identified in Wireshark? Berkay Celik (Jan 24)
- Re: How source and destination is identified in Wireshark? Martin Visser (Jan 24)
- Re: How source and destination is identified in Wireshark? Guy Harris (Jan 28)
- Re: How source and destination is identified in Wireshark? Guy Harris (Jan 28)
- Re: How source and destination is identified in Wireshark? ronnie sahlberg (Jan 28)
- Re: How source and destination is identified in Wireshark? Andrew Hood (Jan 28)
- Re: How source and destination is identified in Wireshark? Guy Harris (Jan 28)
- tcp.time_delta column with tshark vincent paul (Jan 29)
- Re: tcp.time_delta column with tshark j.snelders (Jan 29)
- Re: tcp.time_delta column with tshark Sake Blok (Jan 29)
- Re: tcp.time_delta column with tshark j.snelders (Jan 29)
- Re: tcp.time_delta column with tshark vincent paul (Jan 29)
- Re: How source and destination is identified in Wireshark? Berkay Celik (Jan 24)
- Re: How source and destination is identified in Wireshark? Guy Harris (Jan 24)