Wireshark mailing list archives
Re: How source and destination is identified in Wireshark?
From: Guy Harris <guy () alum mit edu>
Date: Fri, 28 Jan 2011 12:14:30 -0800
On Jan 28, 2011, at 10:55 AM, Guy Harris wrote:
AAA.BBB.CCC.DDD happens to be the source address, and XXX.YYY.ZZZ.WWW happens to be the destination address of the first packet in that TCP connection in the capture,
Actually, it is based on the first packet it sees, but the rules are: if the source port of that first packet is greater than the destination port of that first packet, the endpoints are {source IP}:{source port} and {destination IP}:{destination port}; otherwise, if the source port of that first packet is less than the destination port of that first packet, the endpoints are {destination IP}:{destination port} and {source IP}:{source port}; otherwise (i.e., if the source and destination ports are equal), if the source IP address is "greater than" the destination IP address, the endpoints are {source IP}:{source port} and {destination IP}:{destination port}; otherwise, the endpoints are {destination IP}:{destination port} and {source IP}:{source port}. So that doesn't magically always correctly determine the endpoint from which the connection was initiated - and it doesn't even bother looking at the SYN or ACK bits. ("Greater than", for IP addresses, is based on a byte-by-byte comparison of the addresses.) ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- How source and destination is identified in Wireshark? Berkay Celik (Jan 24)
- Re: How source and destination is identified in Wireshark? Guy Harris (Jan 24)
- Re: How source and destination is identified in Wireshark? Berkay Celik (Jan 24)
- Re: How source and destination is identified in Wireshark? Martin Visser (Jan 24)
- Re: How source and destination is identified in Wireshark? Guy Harris (Jan 28)
- Re: How source and destination is identified in Wireshark? Guy Harris (Jan 28)
- Re: How source and destination is identified in Wireshark? ronnie sahlberg (Jan 28)
- Re: How source and destination is identified in Wireshark? Andrew Hood (Jan 28)
- Re: How source and destination is identified in Wireshark? Guy Harris (Jan 28)
- tcp.time_delta column with tshark vincent paul (Jan 29)
- Re: tcp.time_delta column with tshark j.snelders (Jan 29)
- Re: tcp.time_delta column with tshark Sake Blok (Jan 29)
- Re: tcp.time_delta column with tshark j.snelders (Jan 29)
- Re: tcp.time_delta column with tshark vincent paul (Jan 29)
- Re: tcp.time_delta column with tshark Martin Visser (Jan 30)
- Re: tcp.time_delta column with tshark vincent paul (Jan 30)
- Re: How source and destination is identified in Wireshark? Berkay Celik (Jan 24)
- Re: How source and destination is identified in Wireshark? Guy Harris (Jan 24)