I just watched a video by Laura Chappell talking about stream index and that WS starts at 0 and works its way up with each new conversation. I assumed that each new conversation would have to start with a Syn, Syn/Ack, Syn, but when I started looking at my streams and filtering on just one particular stream, I found quite a few without the 3 way handshake. So what does this mean? Ex. Stream number 39 when I open this up and sort the stream by number so it starts with the first packet, it shows the flag being PSH, ACK and in the info section shows Application data, Application data. This stream is only 15 packets long and doesn't have a FIN bit in the stream either. Thanks, asked 16 Feb '17, 06:12 rock90 edited 16 Feb '17, 07:28 cmaynard ♦♦ |
One Answer:
Streams do not have to start with a handshake to have a number assigned. Wireshark does it by looking at the 5 Tuple: source IP, source port, destination IP, destination port, and layer 4 protocol (in your case: TCP). So when a new combination is seen it gets the next stream index. There's one exception to the rule: if Wireshark sees a 5 Tuple and another identical 5 Tuple starting with new TCP handshake, it will also increase the stream index. For more information about 5 Tuple handling, there's this blog entry: https://blog.packet-foo.com/2015/03/tcp-analysis-and-the-five-tuple/ answered 16 Feb '17, 07:14 Jasper ♦♦ |
Thanks Jasper, I will definitely check out your blog.