This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello,

New to WS and TCP analysis and hoping someone can answer the following questions.

I'm using version 2.2.4 on Windows 10

  1. I want to know if the application I'm using is single thread or multi thread and believe WS can help clarify this correct?
  2. After the capture is done if I go up to statistics and conversations then TCP I saw only one conversations between the two IP addresses I am interested in. I only had one Instance of the application open does that mean it's a single thread? However, we could of opened up multiple instances of the application so does that mean it's multi-thread?

  3. If I scroll through a capture and find a packet with the destination IP my application is talking to and right click and choose conversation filter and click on TCP. The next screen takes me to that ?? fill in the blank because when I click follow the TCP stream it's the same packets so what's the difference between stream and conversation if any?

thanks for any help!

also, if you want to recommend any good books on WS for beginners or TCP for beginners let me know.

asked 14 Feb '17, 08:53

rock90's gravatar image

rock90
21111115
accept rate: 0%


1 - Wireshark is unable to show how many threads are running in an application. You might be able to infer something from looking at the network traffic, but it would basically be a guess.

You can find the number of threads in use from Task Manager, select the Details tab, right click any of the column headers, click "Select Columns" and then check the Threads item. Note that a multithreaded application may still be using a single thread for network I/O (unlikely though).

2 - The conversations display shows a summary of the conversations between two endpoints, for TCP the endpoints are the source IP and port and destination IP and port. This has nothing to do with a single threaded or multithreaded application.

3 - A conversation includes all traffic between 2 endpoints, see item 2 above. A tcp stream is defined by the start, the initial SYN packet, and the end, the final FIN ACK packet. TCP conversations include all streams between those two endpoints. Your capture likely contains one conversation with a single stream hence the similarity of the results.

permanent link

answered 14 Feb '17, 09:10

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Welcome.

  1. No, it can't. Wireshark can look at network conversations, but it can't tell you details about application behavior on a computer - only what kind of packets/data it sends/receives.
  2. No, see point 1. You can't deduct that from network behavior.
  3. You filtered a TCP conversation, meaning all other packets will be hidden temporarily. If you only had one conversation visible before the filter won't do anything - you're hidding everything else, but there's nothing else. A stream and a conversation are basically the same thing in your case.
permanent link

answered 14 Feb '17, 09:00

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

As for training material we have to refer to all this material.

permanent link

answered 14 Feb '17, 09:59

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×21
×3

question asked: 14 Feb '17, 08:53

question was seen: 1,146 times

last updated: 14 Feb '17, 09:59

p​o​w​e​r​e​d by O​S​Q​A