Re: How source and destination is identified in Wireshark?

[Guy Harris <guy () alum mit edu>]

On Jan 28, 2011, at 10:55 AM, Guy Harris wrote:

> AAA.BBB.CCC.DDD happens to be the source address, and XXX.YYY.ZZZ.WWW happens to be the destination address of the 
> first packet in that TCP connection in the capture,

Actually, it is based on the first packet it sees, but the rules are:

        if the source port of that first packet is greater than the destination port of that first packet, the 
endpoints are {source IP}:{source port} and {destination IP}:{destination port};

        otherwise, if the source port of that first packet is less than the destination port of that first packet, the 
endpoints are {destination IP}:{destination port} and {source IP}:{source port};

        otherwise (i.e., if the source and destination ports are equal), if the source IP address is "greater than" the 
destination IP address, the endpoints are {source IP}:{source port} and {destination IP}:{destination port};

        otherwise, the endpoints are {destination IP}:{destination port} and {source IP}:{source port}.

So that doesn't magically always correctly determine the endpoint from which the connection was initiated - and it 
doesn't even bother looking at the SYN or ACK bits.

("Greater than", for IP addresses, is based on a byte-by-byte comparison of the addresses.)
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe