This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

End to End message tracking -is it possible with wireshark

0

We are planning to implement end-to-end message tracking functionality.We have various products/appliations running on Linux servers and they exchange messges(XML,HTTP,HTTPS,LDAP) in our architecure.We thought of using tshark(for https-SSL) and tcpflow(for other protocols) and we are able to track each and every messge which is flowing from one linux server to the other.I wanted to know how we can implement the messge correlation?If the communication was only SOAP XML ,then we would have used any custom xml element like (<messageid>),but our architecture has many applications which use different communication protocols

Using wireshark/tshark is there any way that we can assigin a unique number to the messsages that flow from one application to another application(running on linux).

asked 07 May '12, 22:03

vikram's gravatar image

vikram
417813
accept rate: 0%


One Answer:

1

I'm sorry, but without scripting that's not possible, as wireshark cannot know which 'message' belongs to a certain 'application data flow', IF those messages are not in the same TCP connection (which is likely if you use HTTP as a transport protocol). Maybe MATE can help a bit, however I suggest to script something with Sharktools (Python) or Net::Sharktools (Perl)

Wiki:
http://wiki.wireshark.org/Tools

Regards
Kurt

answered 08 May '12, 02:04

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 08 May '12, 03:10

irrespective of which application is running on a linux box or technology or protocol,I am thinking if there is any way when a messge goes from linux box A to linux box B can we generated a unique number and make sure that the number also goes along with the message ,if it is possible then we will be able to track the message. Not sure, if the transport protocols like http may already have any of their headers which will carry a unique number for each and every number.

(08 May '12, 22:17) vikram

There is nothing built into http itself. However, most http applications use some form of Session-ID to keep track of user sessions. Those Session-IDs are "stored" either in a Cookie, or they are encoded in the URL (JSESSIONID, PHPSESSIONID, et.c). In some rare cases they are part of an HTTP Header. The later case need special http applications on both sides (no browser!)

So, basically you need to understand your application protocol and figure out if there is a unique Session-ID which you can filter on.

(08 May '12, 22:25) Kurt Knochner ♦