Re: TCP: Retrieving connection initiator as well as looping through connections

[Guy Harris <guy () alum mit edu>]

On Oct 27, 2014, at 6:47 AM, Matt <mattator () gmail com> wrote:

> I am trying to improve the MPTCP support in the TCP dissector. To
> provide expert infos, I need to identify which host initiated the
> connection (ie sent the SYN). I wonder how to do that, I could use
> tcp_analysis::server_port if ports were guaranted to be different on
> both sides.

Well, you're not guaranteed to be able to do it by having the TCP dissector look for the initial SYN, as that's not 
guaranteed to be in the capture.  That would work *if* the capture includes the initial SYN, but not all captures do so.

If, for a connection, you're willing to have it indicate either:

        XXX.XXX.XXX.XXX initiated the connection;

        YYY.YYY.YYY.YYY initiated the connection;

        we don't know who initiated the connection;

and the expert analysis code can handle the third case (if, by nothing else, not doing some expert analysis), the TCP 
dissector could do that.

> Secondly, I am trying to setup an MPTCP *stream* identifier , similar
> to tcp stream. Indeed a single MPTCP connection can be composed of
> several TCP connections. Thing is to know to which MPTCP stream a TCP
> stream is bound to, I have to check a token (in a TCP option)

Is that option present in all TCP packets or just in the initial 3-way handshake?  If the former, then you have the 
problem I described above, with the indicated workaround.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe