This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

When analyzing a capture of a login, how do you determine how many IP packets were generated during the process of the login? I guess part of the answer would need to address how to determine which packets were part of the process so the question is probably better worded as: how are IP packets identified as part of the login?

asked 21 Nov '13, 22:13

pj88's gravatar image

pj88
1113
accept rate: 0%

edited 22 Nov '13, 03:02

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237


IP doesn't really care about logins. That kind of information is exchanged on much higher layers, e.g. HTTP or FTP etc. So you need to ask yourself a different question: How does the login process work? What protocol does it use? And how many packets do you need to exchange the information for that?

Logins can work quite differently for different protocols: some just send a packet saying "this is my username, this is my password, and I'd like to login". Others do it in a much more complex way:

  1. Client: "Hello, I'd like to login."
  2. Server: "Great. Send me your username"
  3. Client "Username is abc"
  4. Server. "Nice. Now the password for abc please"
  5. Client: "Password is def"
  6. Server: "Works for me. Continue"

That example needs at least 6 Packets, going back and forth, plus probably some for the TCP session setup. It can get even more complex, when there are Challenge-Response or Private/Public key mechanisms involved.

permanent link

answered 21 Nov '13, 22:54

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 21 Nov '13, 22:55

how are IP packets identified as part of the login?

I would do it this way

  1. understand the login process for your application (as @Jasper explained)
  2. right click a frame and select "Follow TCP stream"
  3. In the pop-up windows find the first string that looks like being part of the login process, based on your definition.
  4. Copy that string
  5. Search that string in the packet list. Either CTRL-F or frame contains "string"
  6. From there, either look at each packet payload until you find the end of the login process or search again for a string that marks the end of the process (like a status code or so)
  7. Count the number of frames between start and end.

This will only work if the communication is not encrypted or you are able to decrypt it (SSL/TLS decryption in Wireshark).

Regards
Kurt

permanent link

answered 22 Nov '13, 02:12

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 22 Nov '13, 11:41

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×205
×178
×16
×12

question asked: 21 Nov '13, 22:13

question was seen: 3,606 times

last updated: 22 Nov '13, 11:41

p​o​w​e​r​e​d by O​S​Q​A