This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Follow TCP stream, requests and answers in different streams

0

Hello. I'm trying to analyze some HTTP trafic, in the older version of wireshark, requests and responses were displayed in the same window, but after an update I can only see requests or only responses, they are in different streams for some reason.

asked 16 Feb '15, 21:58

blaine's gravatar image

blaine
6113
accept rate: 0%

Which version of wireshark were you using when it still worked and which version are you using now?

If you can supply the capture file (on Cloudshark for instance), that would be great. You can anonimize the file with TraceWrangler if you need to remove the ip addresses and/or the TCP payload of the packets.

(17 Feb '15, 00:31) SYN-bit ♦♦

here it is: https://www.cloudshark.org/captures/28457348b590

I don't remember what version it was exactly, but it was few months ago. I needed to see why something isn't working so I launched wireshark, and it requested an update, I updated and...

(17 Feb '15, 08:08) blaine

One Answer:

1

but after an update I can only see requests or only responses, they are in different streams for some reason.

this is (most certainly) not a Wireshark issue, but an issue with the capture file. Take a look at frame #1 and frame #2 and you'll realize that the capture file (most certainly) has been modified with some tools and something went wrong.

Reasons:

Frame #1: SEQ = 4259920039
Frame #2: ACK = 4259920040

So, frame #2 is (most certainly) the SYN-ACK for the SYN in frame #1, however with different source ports.

Furthermore, the src-mac and dst-mac in frame #2 is IDENTICAL !?! Same for other frames...

My conclusion: This capture file has been run through an pcap anonymization tool and something went wrong.

Regards
Kurt

answered 17 Feb '15, 14:50

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 17 Feb '15, 14:53