This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to recognize a flow in wireshark?

0

Hey guys,

I am very new in wireshark... I want to know how can I recognize different flows in pcap files? I think that packets with the same source and destination address and the same protocol are one flow. Is that right?

Thanks,

asked 20 Dec '14, 08:05

alixx's gravatar image

alixx
11112
accept rate: 0%


One Answer:

1

Usually, flows are recognized by the so-called 5-tupel: two sockets (which is a combination of an IP address and a port) talking to each other, and the layer 4 protocol in use.

E.g.: 192.168.0.1:1025 talking to 10.0.0.1:80 via TCP is such a 5-tupel, and would be considered a "flow" in most cases (unless someone has a different idea of what "flow" means). I would prefer "connection" instead, which is clearer.

You can identify those connections in the statistics -> conversations statistics window when selecting the TCP or UDP tab.

answered 20 Dec '14, 10:16

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

unless someone has a different idea of what "flow" means

Are "flows" unidirectional (so that a TCP connection has two TCP flows) or bidirectional (so that a TCP connection and a TCP flow are the same thing)?

I would prefer "connection" instead, which is clearer.

Although, for UDP, there aren't connections at the transport layer, and a conversation at the protocol layer above UDP might involve more than two transport-layer endpoints (e.g., with TFTP, where the first request is from UDP port XXX to UDP port 69, the reply is from UDP port YYY to UDP port XXX, and all subsequent traffic is between UDP ports XXX and YYY).

Wireshark really needs a generalized notion of conversations, so that, for example, TFTP packets over IPv4 over Ethernet would belong to a link-layer conversation between its two MAC addresses (one or both of which might be routers rather than end nodes), an IPv4 conversation between its IPv4 addresses, a UDP conversation between its two UDP ports, and a TFTP conversation between the client and server.

Something in the UI showing conversations could also show flows, in the unidirectional sense.

But I digress. :-)

(20 Dec '14, 15:44) Guy Harris ♦♦

It's all in the definitions I guess ;-)

(22 Dec '14, 05:24) Jasper ♦♦

If your definition of "flow" matches Jasper's description (and mine does), Wireshark automatically labels flows which you can then use in a display filter. Expand the TCP/UDP header, and look for [Stream Index: #]. So for example if the TCP packet you have selected is labeled [Stream Index: 4], you can then use "tcp.stream == 4" in your display filter. This is a /very/ handy shortcut to something like "ip.addr X.X.X.X and ip.addr Y.Y.Y.Y and tcp.port eq AAAA and tcp.port eq BBBB". In fact it is so handy, that I add the stream number as a custom column in my default wireshark view.

(22 Dec '14, 05:32) smp