Wireshark mailing list archives
Re: How source and destination is identified in Wireshark?
From: Guy Harris <guy () alum mit edu>
Date: Fri, 28 Jan 2011 10:55:34 -0800
On Jan 24, 2011, at 8:18 PM, Berkay Celik wrote:
Guy, thanks for the answer but i'm not satisfied. When you get the conversation list using the tshark, even if there are partial conversations (no Syn or 3-way handshake is not observed) commonly tshark gives the correct results,
What do you mean by "When you get the conversation list using the tshark"? Are you referring to "-z conv,tcp"? If so, then the only results you get involve the endpoints as IP address:port; TShark does *NOT* mark one endpoint as the source and another endpoint as the destination: TCP Conversations Filter:<No Filter> | <- | | -> | | Total | | Frames Bytes | | Frames Bytes | | Frames Bytes | AAA.BBB.CCC.DDD:1355 <-> XXX.YYY.ZZZ.WWW:139 14 4332 15 6018 29 10350 AAA.BBB.CCC.DDD:1819 <-> MMM.NNN.OOO.PPP:80 12 13565 11 898 23 14463 AAA.BBB.CCC.DDD:1839 <-> EEE.FFF.GGG.HHH:80 7 5830 6 673 13 6503 (IP addresses obscured here, but that's the output from TShark). It has *NOT* identified AAA.BBB.CCC.DDD as the source and XXX.YYY.ZZZ.WWW as the destination in the first of those conversations; AAA.BBB.CCC.DDD happens to be the source address, and XXX.YYY.ZZZ.WWW happens to be the destination address of the first packet in that TCP connection in the capture, but there is *NO* guarantee that the first packet in the capture is going from the machine that initiated the connection. There are reasons why it's *likely* that it is, but it is not *guaranteed*. ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- How source and destination is identified in Wireshark? Berkay Celik (Jan 24)
- Re: How source and destination is identified in Wireshark? Guy Harris (Jan 24)
- Re: How source and destination is identified in Wireshark? Berkay Celik (Jan 24)
- Re: How source and destination is identified in Wireshark? Martin Visser (Jan 24)
- Re: How source and destination is identified in Wireshark? Guy Harris (Jan 28)
- Re: How source and destination is identified in Wireshark? Guy Harris (Jan 28)
- Re: How source and destination is identified in Wireshark? ronnie sahlberg (Jan 28)
- Re: How source and destination is identified in Wireshark? Andrew Hood (Jan 28)
- Re: How source and destination is identified in Wireshark? Guy Harris (Jan 28)
- tcp.time_delta column with tshark vincent paul (Jan 29)
- Re: tcp.time_delta column with tshark j.snelders (Jan 29)
- Re: tcp.time_delta column with tshark Sake Blok (Jan 29)
- Re: tcp.time_delta column with tshark j.snelders (Jan 29)
- Re: tcp.time_delta column with tshark vincent paul (Jan 29)
- Re: tcp.time_delta column with tshark Martin Visser (Jan 30)
- Re: How source and destination is identified in Wireshark? Berkay Celik (Jan 24)
- Re: How source and destination is identified in Wireshark? Guy Harris (Jan 24)