Re: Filtering sequence numbers between concurrent incoming TCP transmissions

[Jeff Bruns <jeff.bruns () gmail com>]

Richard-
Thank you, you answered my question. I had entirely overlooked the TCP
sender's port number, having not occurred at the time that the port number
will differ from message to message. Brain hiccup.

And as expected, the TCP port number of the first message is 54823, the
second message 54824.

Thanks for the help.

Jeff Bruns

On Mon, May 3, 2010 at 7:50 AM, Richard Bejtlich <taosecurity () gmail com>wrote:

> On Sun, May 2, 2010 at 9:21 PM, Jeff Bruns <jeff.bruns () gmail com> wrote:
> > Greetings-
> > I've been using Wireshark to analyze network traffic that's being parsed
> by
> > a network sniffing perl application. My recent problem is that I've
> > discovered 2 incoming messages, occuring within nanoseconds of each
> other. I
> > suspect that my network sniffer is trying to reassemble some or all of
> the
> > packets of both messages into a single message. Obviously the packets
> from
> > both of these transmissions adhere to one of two sequence number schemes,
> > depending on which message they belong to.
>
> Hello,
>
> Do you mean to say you have two TCP segments, such that
>
> Msg 1: Src IP A Src Port B -> Dst IP C Dst Port D
>
> and
>
> Msg 2: Src IP A Src Port B -> Dst IP C Dst Port D
>
> ?
>
> In other words, you expect your application to differentiate between
> segments based on sequence number alone?
>
> Sincerely,
>
> Richard
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe