Wonder if there is a way to search for TCP sessions whose tcp server IP is xx.xx.xx.xx. Can't find a capture filter (BPF) nor display filter to do this. Any ideas? Thanks. asked 07 Sep '15, 20:42  pktUser1001 |
One Answer:
There is nothing in the TCP layer that indicates what's a "server" and what's a "client", except maybe the initial handshake if the client initiates the connection (which is the usual case, although there can be protocols where the connection is initiated by the server, for example in response to traffic in another protocol as with some FTP data connections). However, that would require that the initial handshake be captured and that its information is made available to the filter, which is not the case for capture filters or display filters. So it'd have to be based either on identifying the server by TCP port number, for protocols with a registered or well-known port number, such as 80 for HTTP or 443 for HTTP-over-SSL, or on somehow identifying the server and client for some particular protocol based on the packet data for that protocol. In either case, there's no general protocol-independent solution; you can't say "show me all sessions whose server is xx.xx.xx.xx", you could only say, for some particular protocol, "show me all protocol XXX sessions whose server is xx.xx.xx.xx". So:
...you'd have to either:
or
...you'd either have to do something based on the port number, similar to what was suggested in the first example for capture filters, or based on fields in the protocol(s) running on top of TCP, as dissected by Wireshark, which is similar in concept to the second example for capture filters, but possibly easier if Wireshark dissects that particular protocol. answered 07 Sep '15, 22:28  Guy Harris ♦♦ |
Thanks for the explanation and work-arounds. They work in some cases.