This is a static archive of our old Q&A Site. Please post any new questions and answers at

Understanding IP packet flow during a login process


When analyzing a capture of a login, how do you determine how many IP packets were generated during the process of the login? I guess part of the answer would need to address how to determine which packets were part of the process so the question is probably better worded as: how are IP packets identified as part of the login?

asked 21 Nov '13, 22:13

pj88's gravatar image

accept rate: 0%

edited 22 Nov '13, 03:02

Kurt%20Knochner's gravatar image

Kurt Knochner ♦

2 Answers:


IP doesn't really care about logins. That kind of information is exchanged on much higher layers, e.g. HTTP or FTP etc. So you need to ask yourself a different question: How does the login process work? What protocol does it use? And how many packets do you need to exchange the information for that?

Logins can work quite differently for different protocols: some just send a packet saying "this is my username, this is my password, and I'd like to login". Others do it in a much more complex way:

  1. Client: "Hello, I'd like to login."
  2. Server: "Great. Send me your username"
  3. Client "Username is abc"
  4. Server. "Nice. Now the password for abc please"
  5. Client: "Password is def"
  6. Server: "Works for me. Continue"

That example needs at least 6 Packets, going back and forth, plus probably some for the TCP session setup. It can get even more complex, when there are Challenge-Response or Private/Public key mechanisms involved.

answered 21 Nov '13, 22:54

Jasper's gravatar image

Jasper ♦♦
accept rate: 18%

edited 21 Nov '13, 22:55


how are IP packets identified as part of the login?

I would do it this way

  1. understand the login process for your application (as @Jasper explained)
  2. right click a frame and select "Follow TCP stream"
  3. In the pop-up windows find the first string that looks like being part of the login process, based on your definition.
  4. Copy that string
  5. Search that string in the packet list. Either CTRL-F or frame contains "string"
  6. From there, either look at each packet payload until you find the end of the login process or search again for a string that marks the end of the process (like a status code or so)
  7. Count the number of frames between start and end.

This will only work if the communication is not encrypted or you are able to decrypt it (SSL/TLS decryption in Wireshark).


answered 22 Nov '13, 02:12

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%

edited 22 Nov '13, 11:41