I'm writing a dissector for a protocol that I have to work with. This protocol runs atop TCP and is stateful. In order to dissect the fields correctly, I need to identify which endpoint opened the TCP connection (the client). Is there a way to get this info from the tcp dissector? Would I have to write a tap? I'm not so clear on how to do this in lua. asked 18 Aug '11, 13:29  Flame |
One Answer:
In general, the TCP dissector doesn't, and can't have that information. If you have not captured the initial 3-way handshake, all you have are data segments and ACKs, and there's no way, from just the TCP header, to determine which of the two endpoints opened the connection. If this is a protocol where there's a standard server port, you could use the port number. If not, you might be able to have a tap listener for the TCP tap, to look at all the packets and hope at least one of them is a SYN packet so you can see the initial SYN or the SYN+ACK and from that determine which side opened the connection - but if you don't, you're out of luck. answered 18 Aug '11, 18:24  Guy Harris ♦♦ My best bet would be to see who sends data first then. After the handshake it appears that the client always sends data first. There are multiple services that speak this protocol, and they each use a different default listening port. (18 Aug '11, 18:43) Flame You might be capturing in the middle of a session, and you might happen to start capturing at a point after the client has sent something to the server but before the server has responded. Those periods of time probably constitute a minority of the total time of the session, so there's probably a good, but not 100%, chance that the endpoint that sent the first non-empty TCP segment is the client. If you know all the possible listening ports, that's just a general case of "you could use the port number". Note also that if it's very stateful, capturing in the middle could lose other info. (18 Aug '11, 19:01) Guy Harris ♦♦ nop. at least SMTP servers do respond with data immediately after handshake. http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol#SMTP_transport_example I guess your milage may vary. (08 Nov '11, 20:30) ShomeaX Hence "good, but not 100%". Most protocols don't work the way SMTP does here. (09 Nov '11, 10:30) Guy Harris ♦♦ |
Cross posted to StackOverflow http://stackoverflow.com/questions/7113810/wireshark-lua-dissector-detect-which-endpoint-opened-the-connection.