Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How source and destination is identified in Wireshark?

From: Guy Harris <guy () alum mit edu>
Date: Fri, 28 Jan 2011 17:47:36 -0800

On Jan 28, 2011, at 5:38 PM, Andrew Hood wrote:


This tends to fail on Windoze,


There's no guarantee that it will succeed, which is the ultimate point:

        1) in the "show me the conversations" tap, Wireshark and TShark *DO NOT IDENTIFY THE SOURCE AND DESTINATION*, 
belief by anybody to the contrary nonwithstanding - it merely chooses which endpoint to put first, based on the guess 
Ronnie described, which may or may *correctly* guess which endpoint is the source, and may be more likely to 
incorrectly guess if the source is running Windows;

        2) there *IS NO MAGIC WAY TO IDENTIFY THE "source" or "destination" OF A TCP CONNECTION AT THE TCP LAYER UNLESS 
YOU'VE SEEN THE INITIAL SYN OR THE RESPONDING SYN+ACK*;

so asking how Wireshark/TShark magically achieves this impossible goal, in order to determine how to achieve this 
impossible goal in other code, is a waste of time.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: