This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is it possible for Wireshark to analyze (TCP) conversations?

0

Good day everyone.

I am interested in application protocols analysis, especially those whose data (or payload) can't be transferred by means of only one network packet. My question so, is it possible for Wireshark to analyze for example assembled TCP-conversations to extract application layer protocols data? As far as I know Wireshark tries to make such an analysis (application protocol extraction) for each network packet separately, except IPv4 defragmentation. If I'm wrong, please explain me how Wireshark can help me with my problem. Otherwise don't you want to add such an opportunity (I mean an analysis of assembled conversations) at least for some application layer protocols?

Thanks in advance.

asked 20 Apr '15, 01:26

ustas's gravatar image

ustas
11225
accept rate: 0%


One Answer:

0

Yes, Wireshark does packet reassembly for content that spans over multiple packets. You can see that it does if you try the "export objects" menu option in the file menu.

So it's already there, for IP fragmentation as well as TCP segments and SSL.

answered 20 Apr '15, 02:09

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Jasper thanks for a fast answer. I found that Wireshark may export objects transferred through HTTP, DICOM, SMB/SMB2. This is useful for me but not exactly what I want. For example some proprietary protocol uses TCP as a transport for its own packets and each packet spans over multiple TCP packets. I want to parse packets of that proprietary protocol. Can Wireshark help me with such a problem? How does Wireshark operate on reassembled TCP? Is it possible to apply "the same" parser both to packets and reassembled conversations?

(24 Apr '15, 09:18) ustas

You'll need to write a dissector for that protocol, and the dissector will require code to manage the reassembly of protocol data spread over multiple packets.

This is all standard fare for Wireshark dissectors.

(24 Apr '15, 09:27) grahamb ♦