Hello, I'm troubleshooting an issue where I need to figure out if the some SYN/ACK that I'm seeing are in response to an specific SYN. I took to independent captures, in two different locations and simultaneously, I can see the SYN from my laptop, but I don't see any SYN/ACK anywhere in the same capture, when I check the other capture I notice that there are many SYN/ACK but I don't know how to match one of those SYN/ACK to the SYN that the computer sent. Can you please help me? asked 06 Mar '13, 09:52 wil1323 |
One Answer:
You need to disable the relative Sequence numbers for the TCP protocol first. You can do that in the preferences -> Protocols sections, or by right clicking the TCP layer in any packet that has TCP inside. Matching packets on multiple locations usually works by finding the same two IPs talking on the same two ports with each other (a "Socket Pair"). Then, try to find the same TCP Sequence numbers of a packet in one trace in the other trace. Sequence numbers are usually unique inside one TCP conversation unless there is so much data transfered that it forces the sequence number to wrap around. If you can find the same packet containing the same socket pair and the same TCP sequence number, you've got it. If you can't find it anywhere, it's probaby not in the trace file. It might still have been on "the wire" but wasn't captured for performance or other reasons. You can usually tell if that is the case if you see the two nodes talking happily (meaning: without retransmissions and duplicate acks) with each other even though there seem to be missing packets. answered 06 Mar '13, 10:19 Jasper ♦♦ edited 06 Mar '13, 15:15 |
Hi Jasper, Can we decode it with stream index?
Let us say the syn is having stream index "n" and obviously the related syn-ack will have index "n" Correct me if i am wrong
Thanks
Going by stream index only works if you only have one trace file. In that case you'll find all packets belonging to one conversation by filtering on its stream index.
Stream index will not work if you compare traces, because the index always starts fresh for each trace, and you can't tell if the same conversation will have the same stream index. If it is, its a pretty rare coincidence, and I wouldn't rely on being that lucky. Better use a conversation filter that contains both IPs and both ports.
Got it thanks
Hello.
One more question, by using the filter tcp.flags == 0x0012, I'm able to find all [ SYN,ACK ] packets in one capture, so now wireshark lists all SYN,ACK, but how can I do a look up in the other sniffer capture that I took, to find out what syn,ack corresponds to what syn.
Thank you again.
You'll have to compare absolute TCP sequence numbers. You could add a custom column for the sequence number to have the numbers listed for each SYN/ACK. Easiest way to do is to select the sequence number in the decode pane of any TCP packet and then use the popup menu to "apply as column".
If you have one SYN/ACK you want to track in the other file you could just filter or search for it, by using "tcp.seq==NUMBER", where "NUMBER" is the number you look for.