I am very new in wireshark... I want to know how can I recognize different flows in pcap files? I think that packets with the same source and destination address and the same protocol are one flow. Is that right?
asked 20 Dec '14, 08:05
Usually, flows are recognized by the so-called 5-tupel: two sockets (which is a combination of an IP address and a port) talking to each other, and the layer 4 protocol in use.
E.g.: 192.168.0.1:1025 talking to 10.0.0.1:80 via TCP is such a 5-tupel, and would be considered a "flow" in most cases (unless someone has a different idea of what "flow" means). I would prefer "connection" instead, which is clearer.
You can identify those connections in the statistics -> conversations statistics window when selecting the TCP or UDP tab.
answered 20 Dec '14, 10:16