This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Reassemble TCP Segments

0

This topic How does Wireshark reassemble TCP Segments is helpful, but does not fully answer "correlation between the [] packets". It describes "when an object has been completely transmitted", but how does WireShark correlate the packets to the same "message"? (e.g. does it use source ip + port?)

(apologies for another question, but I don't see a 'comment' button on the other question. maybe I don't yet have enough karma)

asked 22 Feb '16, 08:24

DennisR's gravatar image

DennisR
6224
accept rate: 0%

One Answer:

1

Try this blog post:

https://blog.packet-foo.com/2015/03/tcp-analysis-and-the-five-tuple/

answered 22 Feb '16, 08:32

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Ah! the 'the so-called “Five-Tuple” (or 5-tuple) [...] which contains the source IP, source port, destination IP, destination port, and the layer 4 protocol.'

Perfect! Thanks

(22 Feb '16, 08:44) DennisR