This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Reused SSL connections

0

How can I filter in Wireshark for reused SSL connections or reused port numbers? i.e. different SSL TCP Streams using the same tuple.

I'm troubleshooting a tcpdump and I want to check if connections are reused successfully or not at all.

From what i understand, I want to filter for all established connections (tcp.flags.syn==1) && (tcp.flags.ack==0)

and then find which ones use the same port pair

How can i filter by reused port numbers?

This question is marked "community wiki".

asked 11 Apr '17, 17:07

evgenia's gravatar image

evgenia
6224
accept rate: 0%

edited 11 Apr '17, 17:28


One Answer:

0

My idea would be to use the TCP analysis results provided by Wireshark, and filter on them like this:

tcp.analysis.reused_ports

answered 12 Apr '17, 02:26

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Do all reused connections always have a TCP packet with description "TCP port numbers reused"?

I thought that one would see the "TCP port numbers reused" in combination with "RST" (reset) packets because the reuse of the connection is forced by interrupting the graceful closing of the connection (waiting for TIME_WAIT to elapse) But if the connection is closed gracefully without forcing reset, then one would not see the "TCP port numbers reused" -> Is my understanding of the above correct?

(12 Apr '17, 11:07) evgenia

No, unfortunately not. The "port reused" symptom is diagnosed like this (excerpt from the TCP dissector code of wireshark):

    /* If this is a SYN packet, then check if its seq-nr is different
     * from the base_seq of the retrieved conversation. If this is the
     * case, create a new conversation with the same addresses and ports
     * and set the TA_PORTS_REUSED flag. If the seq-nr is the same as
     * the base_seq, then do nothing so it will be marked as a retrans-
     * mission later.
     */

So as long as Wireshark sees the new SYN packet with the different initial sequence number, it's marked as "Port Reused", and it doesn't matter if there was a RST, FIN or nothing else in the old connection.

(12 Apr '17, 11:26) Jasper ♦♦

Thank you for your quick response.. It helps to answer some of my questions in dissecting tcpdumps

(12 Apr '17, 12:22) evgenia

I realise now that reused connections in our particular case meant following:

We needed to see multiple "Application Data" packets coming from the source to the backend server within the same TCP Stream.

(12 Apr '17, 18:25) evgenia