This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How source and destination is identified?

0

If there is a syn bit set seen from an endpoint, this is the source. I am curious about if wireshark defines in some other ways or only the syn bit is enough to identify the source and destination? Secondly,

if my traces has are partial conversations, not any syn bit is seen, which one is the source and destination? port numbers can be used to determine them but what if both port numbers makes sense. server uses 80 and the client uses a port number let say something more than 1024 but it's also possible for servers to give services from that port number as a kind of database queries.

Thanks

asked 21 Jan '11, 13:44

berkey's gravatar image

berkey
31448
accept rate: 0%

edited 21 Jan '11, 13:44


One Answer:

2

Depends on what you mean by “source” and “destination.” The “Source” and “Destination” columns in Wireshark identify the source and destination of each packet. Which endpoint is the source and which is the destination alternates as the two systems exchange packets. I'm guessing that's not what you mean.

I'm guessing you're asking which endpoint is the source of a particular data flow. The endpoint that sends the initial SYN is the originator of the TCP connection, but that system is not necessarily the source of the subsequent data flows.

Many networking data flows are primarily unidirectional: Data is flowing mostly in one direction. For example, if I open a command prompt on my computer and type “ftp 192.168.1.10” my computer will send the SYN packet to originate the connection. But then if I download a file, the data flow will be FROM the server TO my computer. The FTP server will be the source and my computer will be the destination for the data transfer. If I upload a file, my computer will be the source and the server will be the destination.

The source is the system sending the data; the destination is the system receiving the data. In a unidirectional data flow, you will see (relatively) large packets from one endpoint, with tcp.len > 0 (hopefully, maximum segment size, or close to it), and the other side will be sending back relatively small ACK packets with no data, and therefore a tcp.len of 0.

What ports are used doesn't really identify who is the source. Again, in an FTP session, you can be downloading or uploading. You can be the source or the destination for the data.

When you click on a link on a web page, your computer is the source of the GET request that is sent to the web server, which will be a relatively small amount of data. Then the web server is the source of the page contents that are sent to your computer, and this will probably be a much larger amount of data.

answered 21 Jan '11, 16:18

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

@jaragon, you simply mean that if i have a trace without payloads by looking the data sizes less than MSS, will help me determine if i don't have any syn bit seen, so do you have any official reference or webpage talks about these related to wireshark.. thanks

(22 Jan '11, 14:50) berkey

If you do not see either the SYN or the SYN/ACK, then you cannot tell which device initiated the TCP connection.

(22 Jan '11, 19:39) Jim Aragon

@jaragon, but wireshark can give me results of the conversations by identifying the source and destination without any syn ?

(23 Jan '11, 10:05) berkey

Where does Wireshark "identify the source and destination"? Do NOT assume that, in a list of conversations, the first address it shows for the conversation is the source and the second address is the destination; there is no guarantee that's the case.

(28 Jan '11, 10:58) Guy Harris ♦♦