This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Session Reconstruction

0

I know different tools use different techniques when reconstructing sessions from packets. How does Wireshark reconstruct a session? Or How does it determine which packets go with each other?

asked 22 Jul '14, 08:33

andrewking1116's gravatar image

andrewking1116
11112
accept rate: 0%


One Answer:

0

It uses several pieces of information from the frames

  • socket 5-tupel: protocol (UDP,TCP, etc.), src ip, dst ip, src port, dst port
  • TCP sequence numbers
  • Protocol request/response 'flow' (like in HTTP/FTP/SMTP, etc.)
  • many other things, all very dependent on the specific protocols

That's all implemented in the protocol dissectors and the Wireshark dissection engine in general.

Is there any specific reason for your question?

Maybe there is a more detailed answer, if you are looking for a specific protocol.

Regards
Kurt

answered 22 Jul '14, 09:07

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

I'm working on a requirements project. I just wanted a little more clarification on the technical aspect of different tools and how they process data.

I guess more specifically, Say the initial syn packet was dropped and you collected the rest of the data. Or, if you see a high port to high port. Some reconstruction tools rely on standard ports 0-1023 to be the server. How would would Wireshark process this? Would it just make a best guess or only use the sequence number?

(22 Jul '14, 12:31) andrewking1116

How would would Wireshark process this?

'process' in terms of what?

Wireshark will still be able to identify a 'conversation' based on the socket 5-tupel and/or the TCP sequence numbers, no matter if the SYN is there or not.

As Wireshark won't tell you who is the 'client' and who is the 'server' (that's just a logical concept), it won't need the SYN anyway.

Wireshark also relies on ports to identify protocols (HTTP, SMTP, etc.) as Wireshark needs a criteria to call the right dissectors on a packet. However, there are also heuristic dissectors (trying to identify some protocols regardless of the port). Furthermore the user can overrule Wiresharks decision be telling it to dissect a certain frame/conversation/port/etc. with a different dissector ("Decode As").

(23 Jul '14, 00:29) Kurt Knochner ♦