This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello, Do the TCP conversations shown in Statistics->Conversations->TCP separate individual TCP sessions between the same hosts and same ports (each with its own SYN FIN etc.) ? Or will it aggregate them into a single entry? I would like to know if it is possible to obtain a summary of each individual TCP session.

Thank you in advance! Hugo

asked 01 Mar '13, 16:38

hugosp's gravatar image

hugosp
1336
accept rate: 0%


Wireshark will mark treat conversations as unique if the 4 tuple is the same, but the initial sequence number of the TCP SYN packet is different. This way retransmissions of the SYN will not be counted as a different conversation, but a new session with the same 4-tuple will (assuming a random initial sequence number is chosen for each session).

The TCP tab in the conversation statistics will follow the conversation marking. I just checked with a crafted file containing two tcp sessions with the same 4-tuple but different initial sequence number.

For UDP, there are no sequence numbers, so all packets with the same 4-tuple will be aggregated in one row in the UDP tab of the conversation statistics.

permanent link

answered 03 Mar '13, 11:52

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thanks for the reply.Any good open source tools to craft a packet?

(03 Mar '13, 21:30) krishnayeddula

Thanks Kurt. Jenny GUI Looking terrific.

(05 Mar '13, 13:53) krishnayeddula

Yep. Good luck with it :-)

(05 Mar '13, 13:59) Kurt Knochner ♦

An Unique TCP Session comprises of 4 tuple(Source Port , Dest port ,Source IP and Dest IP) "Between same hosts and same ports" what does this mean? Multiple clients can access same server port but they all are unique tcp sessions.AFAIK it is a corner case that 2 TCP Sessions having same 4 topple(SIP,DIP,SP,DP) Senior Folks,correct me if i am wrong.

In regular case you can access each individual TCP Session: Go to Statistics>Conversations>TCP Now select a session you want to observer.Right click and apply as a filter >Selected>A<-->B and you will see the summary of packets(3way handshake,Application Transactions,Tear down) in that session

permanent link

answered 01 Mar '13, 18:27

krishnayeddula's gravatar image

krishnayeddula
629354148
accept rate: 6%

edited 01 Mar '13, 20:47

1

It's certainly not impossible for two separate TCP sessions to use the same endpoint values. The second session would have to start after the first session is closed, so there can't be two separate sessions using the same endpoint values at the same time, and if the TCP port number in the initial SYN is being dynamically assigned, it's probably not likely that this will happen, but it's not impossible.

(01 Mar '13, 22:20) Guy Harris ♦♦

Guy Harris, Thanks for the confirmation.I am sure we can mimic same source port condition using traffic generator tools but my point is the previous session(same 4 tuple) must have to close(which you confirmed)

I am curious to know will a situation arise where 2 separate sessions having same 4 tuple "on the flight" ? i.e first session is not closed yet and 2nd syn initiated by client to server will same source port.

(02 Mar '13, 03:20) krishnayeddula

Hello,

Thank you for the comments, but none of you really answered my question. I know it is possible, specially if you are computing statistics over a large packet trace file. My question is if Wireshark separates them or not. Thanks again! Hugo

(02 Mar '13, 08:11) hugosp

you can access each individual TCP Session: Go to Statistics>Conversations>TCP Now select a session you want to observe.Right click and apply as a filter >Selected>A<-->B and you will see the summary of packets(3way handshake,Application Transactions,Tear down) in that session

(02 Mar '13, 09:28) krishnayeddula

Hello, Sorry to insist but that is not my question. The fact that I go to one session and only see one Syn, etc., does not guarantee me that it happens on every session in the computed Statistics. However, I created I setup of my own and was able to verify that Wireshark actually separates two TCP sessions with same 4-tuples.

(02 Mar '13, 10:56) hugosp

sorry for not understanding your question properly. Here is what i inferred

1St session: Client(10.1.1.1) Server(74.3.3.1) SP:3122 DP:80 The first connection is to fetch a HTML Object(index.html) The 4-tuple is 10.1.1.1 74.3.3.1 SP:3122 DP:80 This session got ended

Now,

2nd Session: Client(10.1.1.1) Server(74.3.3.1) SP:3122(Which is same as above) DP:80 This session is to fetch a JPG file(index.jpg)

So what you are looking is the list of 2 sessions individually in wireshark in spite of same 4tupple?

(02 Mar '13, 16:48) krishnayeddula

That's correct. So if your 1st Session has 100 packets, and your second session also has 100 packets, my question is if in statistics a single 4-tuple entry will appear with a total of 200 packets, or if they will show up as two separate TCP sessions, each with 100 packets. I think the latter is what happens, and it is also what I was looking for. Please correct me if I am wrong :) thanks again!

(03 Mar '13, 11:09) hugosp
showing 5 of 7 show 2 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×752
×86

question asked: 01 Mar '13, 16:38

question was seen: 7,225 times

last updated: 05 Mar '13, 13:59

p​o​w​e​r​e​d by O​S​Q​A