Hello, Do the TCP conversations shown in Statistics->Conversations->TCP separate individual TCP sessions between the same hosts and same ports (each with its own SYN FIN etc.) ? Or will it aggregate them into a single entry? I would like to know if it is possible to obtain a summary of each individual TCP session. Thank you in advance! Hugo asked 01 Mar '13, 16:38 hugosp |
2 Answers:
Wireshark will mark treat conversations as unique if the 4 tuple is the same, but the initial sequence number of the TCP SYN packet is different. This way retransmissions of the SYN will not be counted as a different conversation, but a new session with the same 4-tuple will (assuming a random initial sequence number is chosen for each session). The TCP tab in the conversation statistics will follow the conversation marking. I just checked with a crafted file containing two tcp sessions with the same 4-tuple but different initial sequence number. For UDP, there are no sequence numbers, so all packets with the same 4-tuple will be aggregated in one row in the UDP tab of the conversation statistics. answered 03 Mar '13, 11:52 SYN-bit ♦♦ |
An Unique TCP Session comprises of 4 tuple(Source Port , Dest port ,Source IP and Dest IP) "Between same hosts and same ports" what does this mean? Multiple clients can access same server port but they all are unique tcp sessions.AFAIK it is a corner case that 2 TCP Sessions having same 4 topple(SIP,DIP,SP,DP) Senior Folks,correct me if i am wrong. In regular case you can access each individual TCP Session: Go to Statistics>Conversations>TCP Now select a session you want to observer.Right click and apply as a filter >Selected>A<-->B and you will see the summary of packets(3way handshake,Application Transactions,Tear down) in that session answered 01 Mar '13, 18:27 krishnayeddula edited 01 Mar '13, 20:47 1 It's certainly not impossible for two separate TCP sessions to use the same endpoint values. The second session would have to start after the first session is closed, so there can't be two separate sessions using the same endpoint values at the same time, and if the TCP port number in the initial SYN is being dynamically assigned, it's probably not likely that this will happen, but it's not impossible. (01 Mar '13, 22:20) Guy Harris ♦♦ Guy Harris, Thanks for the confirmation.I am sure we can mimic same source port condition using traffic generator tools but my point is the previous session(same 4 tuple) must have to close(which you confirmed) I am curious to know will a situation arise where 2 separate sessions having same 4 tuple "on the flight" ? i.e first session is not closed yet and 2nd syn initiated by client to server will same source port. (02 Mar '13, 03:20) krishnayeddula Hello, Thank you for the comments, but none of you really answered my question. I know it is possible, specially if you are computing statistics over a large packet trace file. My question is if Wireshark separates them or not. Thanks again! Hugo (02 Mar '13, 08:11) hugosp you can access each individual TCP Session: Go to Statistics>Conversations>TCP Now select a session you want to observe.Right click and apply as a filter >Selected>A<-->B and you will see the summary of packets(3way handshake,Application Transactions,Tear down) in that session (02 Mar '13, 09:28) krishnayeddula Hello, Sorry to insist but that is not my question. The fact that I go to one session and only see one Syn, etc., does not guarantee me that it happens on every session in the computed Statistics. However, I created I setup of my own and was able to verify that Wireshark actually separates two TCP sessions with same 4-tuples. (02 Mar '13, 10:56) hugosp sorry for not understanding your question properly. Here is what i inferred 1St session: Client(10.1.1.1) Server(74.3.3.1) SP:3122 DP:80 The first connection is to fetch a HTML Object(index.html) The 4-tuple is 10.1.1.1 74.3.3.1 SP:3122 DP:80 This session got ended Now, 2nd Session: Client(10.1.1.1) Server(74.3.3.1) SP:3122(Which is same as above) DP:80 This session is to fetch a JPG file(index.jpg) So what you are looking is the list of 2 sessions individually in wireshark in spite of same 4tupple? (02 Mar '13, 16:48) krishnayeddula That's correct. So if your 1st Session has 100 packets, and your second session also has 100 packets, my question is if in statistics a single 4-tuple entry will appear with a total of 200 packets, or if they will show up as two separate TCP sessions, each with 100 packets. I think the latter is what happens, and it is also what I was looking for. Please correct me if I am wrong :) thanks again! (03 Mar '13, 11:09) hugosp showing 5 of 7 show 2 more comments |
Thanks for the reply.Any good open source tools to craft a packet?
take a look at this
http://bittwist.sourceforge.net/doc/bittwiste.1.html
or this
http://code.google.com/p/jenny/
Thanks Kurt. Jenny GUI Looking terrific.
Yep. Good luck with it :-)