Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How source and destination is identified in Wireshark?

From: ronnie sahlberg <ronniesahlberg () gmail com>
Date: Sat, 29 Jan 2011 07:29:20 +1100
Yes.

My rationale was this :

In the conversation list the socket pairs are deliberately set up with the
"highest" port to the left and the "lowest" port to the right.

Almost always, clients will use ephemeral ports in the >=32768 range
and server applications will listen on system ports <2048

This way, you would alwost always get the clients on the left
connecting to the servers on the right
(which is nice as long as you are a left-to-right person).

Thus this very simple heuristics would get it right most of the time.
Especially since we would not have any guarantees that the SYN packets
would even exist in the trace,
or what about UDP packets?

regards
ronnie sahlberg




On Sat, Jan 29, 2011 at 7:14 AM, Guy Harris <guy () alum mit edu> wrote:


On Jan 28, 2011, at 10:55 AM, Guy Harris wrote:


AAA.BBB.CCC.DDD happens to be the source address, and XXX.YYY.ZZZ.WWW happens to be the destination address of the 
first packet in that TCP connection in the capture,


Actually, it is based on the first packet it sees, but the rules are:

       if the source port of that first packet is greater than the destination port of that first packet, the 
endpoints are {source IP}:{source port} and {destination IP}:{destination port};

       otherwise, if the source port of that first packet is less than the destination port of that first packet, the 
endpoints are {destination IP}:{destination port} and {source IP}:{source port};

       otherwise (i.e., if the source and destination ports are equal), if the source IP address is "greater than" 
the destination IP address, the endpoints are {source IP}:{source port} and {destination IP}:{destination port};

       otherwise, the endpoints are {destination IP}:{destination port} and {source IP}:{source port}.

So that doesn't magically always correctly determine the endpoint from which the connection was initiated - and it 
doesn't even bother looking at the SYN or ACK bits.

("Greater than", for IP addresses, is based on a byte-by-byte comparison of the addresses.)
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: