Wireshark mailing list archives
Re: How source and destination is identified in Wireshark?
From: ronnie sahlberg <ronniesahlberg () gmail com>
Date: Sat, 29 Jan 2011 07:29:20 +1100
Yes. My rationale was this : In the conversation list the socket pairs are deliberately set up with the "highest" port to the left and the "lowest" port to the right. Almost always, clients will use ephemeral ports in the >=32768 range and server applications will listen on system ports <2048 This way, you would alwost always get the clients on the left connecting to the servers on the right (which is nice as long as you are a left-to-right person). Thus this very simple heuristics would get it right most of the time. Especially since we would not have any guarantees that the SYN packets would even exist in the trace, or what about UDP packets? regards ronnie sahlberg On Sat, Jan 29, 2011 at 7:14 AM, Guy Harris <guy () alum mit edu> wrote:
On Jan 28, 2011, at 10:55 AM, Guy Harris wrote:AAA.BBB.CCC.DDD happens to be the source address, and XXX.YYY.ZZZ.WWW happens to be the destination address of the first packet in that TCP connection in the capture,Actually, it is based on the first packet it sees, but the rules are: if the source port of that first packet is greater than the destination port of that first packet, the endpoints are {source IP}:{source port} and {destination IP}:{destination port}; otherwise, if the source port of that first packet is less than the destination port of that first packet, the endpoints are {destination IP}:{destination port} and {source IP}:{source port}; otherwise (i.e., if the source and destination ports are equal), if the source IP address is "greater than" the destination IP address, the endpoints are {source IP}:{source port} and {destination IP}:{destination port}; otherwise, the endpoints are {destination IP}:{destination port} and {source IP}:{source port}. So that doesn't magically always correctly determine the endpoint from which the connection was initiated - and it doesn't even bother looking at the SYN or ACK bits. ("Greater than", for IP addresses, is based on a byte-by-byte comparison of the addresses.) ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- How source and destination is identified in Wireshark? Berkay Celik (Jan 24)
- Re: How source and destination is identified in Wireshark? Guy Harris (Jan 24)
- Re: How source and destination is identified in Wireshark? Berkay Celik (Jan 24)
- Re: How source and destination is identified in Wireshark? Martin Visser (Jan 24)
- Re: How source and destination is identified in Wireshark? Guy Harris (Jan 28)
- Re: How source and destination is identified in Wireshark? Guy Harris (Jan 28)
- Re: How source and destination is identified in Wireshark? ronnie sahlberg (Jan 28)
- Re: How source and destination is identified in Wireshark? Andrew Hood (Jan 28)
- Re: How source and destination is identified in Wireshark? Guy Harris (Jan 28)
- tcp.time_delta column with tshark vincent paul (Jan 29)
- Re: tcp.time_delta column with tshark j.snelders (Jan 29)
- Re: tcp.time_delta column with tshark Sake Blok (Jan 29)
- Re: tcp.time_delta column with tshark j.snelders (Jan 29)
- Re: tcp.time_delta column with tshark vincent paul (Jan 29)
- Re: tcp.time_delta column with tshark Martin Visser (Jan 30)
- Re: tcp.time_delta column with tshark vincent paul (Jan 30)
- Re: tcp.time_delta column with tshark Martin Visser (Jan 30)
- Re: How source and destination is identified in Wireshark? Berkay Celik (Jan 24)
- Re: How source and destination is identified in Wireshark? Guy Harris (Jan 24)