This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How can I follow one conversation/session in a wireshark trace?

0

Hi guys

I have trace that I am trying to analyze. It is a bit difficult because we open two connections to the same IP and Port within the same application. So there are two different sockets opening connections on two different threads. We have application logs but they are huge and to try and match up what was sent from the app logs with wireshark trace is quite difficult from each thread is quite difficult.

I don't know that much about the TCP/IP stack but I assume that there must be some sort of ID that is associated with each socket otherwise the OS wouldn't know which bytes to forward to which socket in the same application.

Does this ID show up in the wireshark trace? Is there a way to filter the view so that I can follow a single socket's conversation? If this is true what ID should I use and where can I find it in the trace?

asked 10 Aug '12, 03:56

uriDium's gravatar image

uriDium
26226
accept rate: 0%


3 Answers:

3

Right click a packet of interest and choose "Follow TCP Stream". This will show the stream contents in another window which you can dismiss, and the main display will be filtered to only show packets for the stream you chose.

answered 10 Aug '12, 04:08

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

2

If you open the TCP tree in the packet-tree pane, you'll find a field called [Stream index: N] where N is some integer. Wireshark gives each TCP connection its own stream index (the number is incremented each time Wireshark sees a new connection). This field is useful if you want to, for example, filter on only messages for this particular stream.

answered 10 Aug '12, 06:10

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

2

As grahamb said, Follow TCP Stream will give what you want. No, there is no ID that is associated with each socket. The Stream Index is a Wireshark-generated value; it is not actually present in the packet. The OS differentiates between TCP connections solely on the basis of IP addresses and ports. A connection is defined by the IP addresses and port numbers at both ends. You said "...we open two connections to the same IP and port within the same application."

Ok, both connections may be TO the same IP address and port, but if you examine the captured traffic you will find that they are not both FROM the same port. The system that opens the connections will choose a different dynamic port for each connection.

answered 10 Aug '12, 12:22

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

@Jim. Does this have anything to do with ephemeral ports?

(12 Aug '12, 01:10) uriDium

yes, that is what Jim meant by "dynamic".

(12 Aug '12, 03:18) Jasper ♦♦

Indeed. I first typed "ephemeral" and then changed it to "dynamic" because I find that a lot of people who are new to TCP analysis aren't familiar with the term.

(12 Aug '12, 10:14) Jim Aragon