Wireshark mailing list archives

Re: How source and destination is identified in Wireshark?

From: Guy Harris <guy () alum mit edu>
Date: Fri, 28 Jan 2011 10:55:34 -0800


On Jan 24, 2011, at 8:18 PM, Berkay Celik wrote:

Guy, thanks for the answer but i'm not satisfied. When you get the conversation list using the tshark, even if there 
are partial conversations (no Syn or 3-way handshake is not observed) commonly tshark gives the correct results,


What do you mean by "When you get the conversation list using the tshark"?  Are you referring to "-z conv,tcp"?  If so, 
then the only results you get involve the endpoints as IP address:port; TShark does *NOT* mark one endpoint as the 
source and another endpoint as the destination:

        TCP Conversations
        Filter:<No Filter>
                                                              |       <-      | |       ->      | |     Total     |
                                                              | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |
        AAA.BBB.CCC.DDD:1355    <-> XXX.YYY.ZZZ.WWW:139          14      4332      15      6018      29     10350
        AAA.BBB.CCC.DDD:1819    <-> MMM.NNN.OOO.PPP:80           12     13565      11       898      23     14463
        AAA.BBB.CCC.DDD:1839    <-> EEE.FFF.GGG.HHH:80            7      5830       6       673      13      6503

(IP addresses obscured here, but that's the output from TShark).  It has *NOT* identified AAA.BBB.CCC.DDD as the source 
and XXX.YYY.ZZZ.WWW as the destination in the first of those conversations; AAA.BBB.CCC.DDD happens to be the source 
address, and XXX.YYY.ZZZ.WWW happens to be the destination address of the first packet in that TCP connection in the 
capture, but there is *NO* guarantee that the first packet in the capture is going from the machine that initiated the 
connection.  There are reasons why it's *likely* that it is, but it is not *guaranteed*.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

How source and destination is identified in Wireshark? Berkay Celik (Jan 24)
- Re: How source and destination is identified in Wireshark? Guy Harris (Jan 24)
  - Re: How source and destination is identified in Wireshark? Berkay Celik (Jan 24)
    - Re: How source and destination is identified in Wireshark? Martin Visser (Jan 24)
    - Re: How source and destination is identified in Wireshark? Guy Harris (Jan 28)
    - Re: How source and destination is identified in Wireshark? Guy Harris (Jan 28)
    - Re: How source and destination is identified in Wireshark? ronnie sahlberg (Jan 28)
    - Re: How source and destination is identified in Wireshark? Andrew Hood (Jan 28)
    - Re: How source and destination is identified in Wireshark? Guy Harris (Jan 28)
    - tcp.time_delta column with tshark vincent paul (Jan 29)
    - Re: tcp.time_delta column with tshark j.snelders (Jan 29)
    - Re: tcp.time_delta column with tshark Sake Blok (Jan 29)
    - Re: tcp.time_delta column with tshark j.snelders (Jan 29)
    - Re: tcp.time_delta column with tshark vincent paul (Jan 29)
    - Re: tcp.time_delta column with tshark Martin Visser (Jan 30)

(Thread continues...)