This is our old Q&A Site. Please post any new questions and answers at

I'm trying to write a python module for determining SCTP associations from captured traffic. It works fine when I read a pcap that has SACK chunks (since my heuristic uses TSNs), but I have a couple of files that don't have these chunks (either because they have been removed, or because they mostly contain retransmissions)

When I try to run the script on these files, I get different results to Wireshark's Telephony>SCTP>Show All Associations utility.

At the moment I'm using a combination of comparing TSNs and comparing Transport Addresses. For the latter, arrays of unique src and dst transport addresses are kept for each endpoint. When a src TA for one endpoint is found in the dst array of another, they are made more likely to be put into an association together.

For example with this file, my script gets all associations right, except the ones with VTags: 838939786, 4139831617 and 3653663047.

Wireshark pairs up the first 2, and the 365[...] with a 0 VTag.

My script puts 838[...] and 365[...] together, and 413[...] with a 0 VTag.

Is there something else Wireshark does that I've not considered?

asked 06 Aug '15, 06:06

Alex%20Hunter's gravatar image

Alex Hunter
accept rate: 0%

edited 06 Aug '15, 07:56

Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 06 Aug '15, 06:06

question was seen: 973 times

last updated: 06 Aug '15, 07:56

p​o​w​e​r​e​d by O​S​Q​A