I want to determine the connection direction from a single packet data. The only way I can think about is - if I can know which is the known port number Wireshark used to determine the protocol name. Is there a way to get this information from the pdml ? for example: SNMP packet uses port 161. so if I have a packet that src is 161 and dest is 4567 I can detemine this is server to client packet. It will not always be truth, but I think in general 95% of the packets I'll get it right. How can I tell which is the known port in a pdml ? asked 06 Feb '16, 21:04  kdani |
2 Answers:
You can't directly do that from the PDML. The only thing you can do is see which of the two port numbers is lower; that number is probably the right one. However, note that not all servers have port numbers assigned to them; in that case, you're out of luck. answered 10 Feb '16, 00:00  Guy Harris ♦♦ |
Have look at answered 07 Feb '16, 05:38  Jaap ♦ I have no such value in my pdml (09 Feb '16, 21:44) kdani |
you confirm my feats ;-) but wireshark does know which port defines the selected protocol, it just doesn't export it to the pdml. If I had this knowledge I can easily guess and usually guess right the packet direction. (it decides it's http, based on the fact that one of the ports is 80....)