This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how works TCP Flow

0

Hi I'm trying to find a performance issue with wireshark

I have a capture where the start request (a HTTP POST request) is the packet n° 14481 This request is acked in the packet 423239 66.05 seconds later These start and ack packets have the TCP Stream n° : 106

Between i have thousan of mysql requests but in the TCP Stream n° : 2

My question is :

As the TCP Stream of the mysql request (2) is less than the TCP Stream of the HTTP requests (106), can i suppose that they are not part of my HTTP request ?

And if yes how can i filter in order or only have the ones that where executed between my HTTP request ?

Thanks

asked 28 Jan '16, 01:27

jojoRoro40's gravatar image

jojoRoro40
6112
accept rate: 0%

I am not sure, if I understand your question correct. But maybe this two articles can help you a little bit:

https://blog.packet-foo.com/2015/03/tcp-analysis-and-the-five-tuple/

https://blog.packet-foo.com/2015/05/port-numbers-reused/

(28 Jan '16, 03:16) Christian_R

One Answer:

0

  • If tcp is used to transport http, both the http request and the response to it always use exactly one tcp session. But the same tcp session may be used by several request/response pairs - more than that, it is almost always the case.

  • tcp.stream is not a field you could find in the packet contents. It is a "virtual" or "pseudo" field, i.e. an attribute of a frame which Wireshark generates, in order to make packet analysis easier, by aggregating several real packet fields together. It is the order number of the beginning of that particular tcp session in that particular capture; if you would modify a capture file by removing all packets matching display filter tcp.stream == N from it, stream N+1 from the original file would become stream N in the modified file.

To finish the answer, I need you to explain more precisely what you had in mind when writing

how can i filter in order or only have the ones that where executed between my HTTP request ?

If you had in mind "I want to see all packets, no matter to what tcp session they belong, which have been captured between the http request in tcp stream 106 and the response to it", then you can use a display filter frame.number >= N and frame.number <= M, where N would be the frame number (the leftmost column in default layout of the packet list pane) of the http request, and M would be the frame number of the response.

answered 28 Jan '16, 02:58

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%