This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How wireshark is able tell streams apart.

0

Hello All,

I am wondering how wireshark is able to tell what frames/packets belong to which stream. It seems to be able to tell where one stream starts and ends even if more than one stream share a single connection.

For example if I send more than one HTTP connection using one single socket, wireshark is able to tell that there were two different HTTP requests/replies were exchanged.

Would this also apply to all other protocols, even it was a custom one (i.e. application-specific protocol)?

Thanks.

asked 22 Jul '15, 11:01

hebbo's gravatar image

hebbo
6112
accept rate: 0%


One Answer:

0

That is protocol specific, e.g. if you request multiple things first of all the reply needs to tell how long each thing is. Wireshark is just able to interpret those length indicators just like clients do. If you look at HTTP you'll see it giving a size in the headers with each content that is delivered.

answered 22 Jul '15, 11:06

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thank you for your time and quick response. I appreciate it.

I know a bit about HTTP, content length and others. But what if you have two requests coming at around same time and responses sent around same time. The two requests are large enough for the frames from two transactions to be mingled with each other. Would wireshark tell them apart too?

If you can give me some sort of formal specification that would be fine. I believe I know enough to understand it.

Thank you again.

(22 Jul '15, 11:13) hebbo

the requests and responses within a single connection are serialized. You can only request a new item when the previous has been delivered.

(22 Jul '15, 11:19) Jasper ♦♦