This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Howt to distinguish multiple conversations with the same addr1/port1 and addr2/port2 pair

0

I am writing a dissector of a non-stateless protocol atop TCP. Suppose that there are multiple TCP streams with the same addr1/port1 and addr2/port2 pair, and that I want to assign each one a separate conversation, how to distinguish them within my dissecting context?

Any guidance will be appreciated. Thanks.

asked 27 Sep '15, 19:22

Peng%20Zheng's gravatar image

Peng Zheng
10115
accept rate: 0%


One Answer:

2

I guess you can use the tcp.stream index. It's counted up for each new conversation using the same 5-tuple.

See also https://blog.packet-foo.com/2015/05/port-numbers-reused/

answered 27 Sep '15, 19:24

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

"assign each one a separate conversation", TCP already does it (create conversation) for me, so all I have to do is to check whether a per conversation data for my own protocol exists, if not, just create one and add it to the conversation. Right?

(28 Sep '15, 02:21) Peng Zheng