Hello, Do the TCP conversations shown in Statistics->Conversations->TCP separate individual TCP sessions between the same hosts and same ports (each with its own SYN FIN etc.) ? Or will it aggregate them into a single entry? I would like to know if it is possible to obtain a summary of each individual TCP session.
Thank you in advance! Hugo
asked 01 Mar '13, 16:38
Wireshark will mark treat conversations as unique if the 4 tuple is the same, but the initial sequence number of the TCP SYN packet is different. This way retransmissions of the SYN will not be counted as a different conversation, but a new session with the same 4-tuple will (assuming a random initial sequence number is chosen for each session).
The TCP tab in the conversation statistics will follow the conversation marking. I just checked with a crafted file containing two tcp sessions with the same 4-tuple but different initial sequence number.
For UDP, there are no sequence numbers, so all packets with the same 4-tuple will be aggregated in one row in the UDP tab of the conversation statistics.
answered 03 Mar '13, 11:52
An Unique TCP Session comprises of 4 tuple(Source Port , Dest port ,Source IP and Dest IP) "Between same hosts and same ports" what does this mean? Multiple clients can access same server port but they all are unique tcp sessions.AFAIK it is a corner case that 2 TCP Sessions having same 4 topple(SIP,DIP,SP,DP) Senior Folks,correct me if i am wrong.
In regular case you can access each individual TCP Session: Go to Statistics>Conversations>TCP Now select a session you want to observer.Right click and apply as a filter >Selected>A<-->B and you will see the summary of packets(3way handshake,Application Transactions,Tear down) in that session
answered 01 Mar '13, 18:27
edited 01 Mar '13, 20:47