This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hey guys,

I am very new in wireshark... I want to know how can I recognize different flows in pcap files? I think that packets with the same source and destination address and the same protocol are one flow. Is that right?

Thanks,

asked 20 Dec '14, 08:05

alixx's gravatar image

alixx
11112
accept rate: 0%


Usually, flows are recognized by the so-called 5-tupel: two sockets (which is a combination of an IP address and a port) talking to each other, and the layer 4 protocol in use.

E.g.: 192.168.0.1:1025 talking to 10.0.0.1:80 via TCP is such a 5-tupel, and would be considered a "flow" in most cases (unless someone has a different idea of what "flow" means). I would prefer "connection" instead, which is clearer.

You can identify those connections in the statistics -> conversations statistics window when selecting the TCP or UDP tab.

permanent link

answered 20 Dec '14, 10:16

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

unless someone has a different idea of what "flow" means

Are "flows" unidirectional (so that a TCP connection has two TCP flows) or bidirectional (so that a TCP connection and a TCP flow are the same thing)?

I would prefer "connection" instead, which is clearer.

Although, for UDP, there aren't connections at the transport layer, and a conversation at the protocol layer above UDP might involve more than two transport-layer endpoints (e.g., with TFTP, where the first request is from UDP port XXX to UDP port 69, the reply is from UDP port YYY to UDP port XXX, and all subsequent traffic is between UDP ports XXX and YYY).

Wireshark really needs a generalized notion of conversations, so that, for example, TFTP packets over IPv4 over Ethernet would belong to a link-layer conversation between its two MAC addresses (one or both of which might be routers rather than end nodes), an IPv4 conversation between its IPv4 addresses, a UDP conversation between its two UDP ports, and a TFTP conversation between the client and server.

Something in the UI showing conversations could also show flows, in the unidirectional sense.

But I digress. :-)

(20 Dec '14, 15:44) Guy Harris ♦♦

It's all in the definitions I guess ;-)

(22 Dec '14, 05:24) Jasper ♦♦

If your definition of "flow" matches Jasper's description (and mine does), Wireshark automatically labels flows which you can then use in a display filter. Expand the TCP/UDP header, and look for [Stream Index: #]. So for example if the TCP packet you have selected is labeled [Stream Index: 4], you can then use "tcp.stream == 4" in your display filter. This is a /very/ handy shortcut to something like "ip.addr X.X.X.X and ip.addr Y.Y.Y.Y and tcp.port eq AAAA and tcp.port eq BBBB". In fact it is so handy, that I add the stream number as a custom column in my default wireshark view.

(22 Dec '14, 05:32) smp
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×35

question asked: 20 Dec '14, 08:05

question was seen: 7,900 times

last updated: 22 Dec '14, 05:32

p​o​w​e​r​e​d by O​S​Q​A