Ask Your Question

do follow->udp stream work correctly?

asked 2019-08-25 05:15:36 +0000

rona gravatar image

i have a pcap file that have DNS records. i want to seperate different flows of DNS from each other. i right click on each record and then follow -> udp stream. by doing this wireshark showing the stream (flow) that this record is in it. but i think the streams that wireshark shows me is incorrect. i think in a flow source addreass, destination address, source port and destination port of packets should be the same and also the time of that packets should be near to each other ( my mean is that those packets should be next to each other in wireshark) . is it true? but in wireshark happen this: packets from time 0.000 to time 2.3056 and also the packets from time 2056.890 to time 2058.032 are in the same stream (flow)!!!! i think it is not correct because there are a lot of DNS records from time 2.3056 and 2056.890 that this host is transmitted and recieved. so i think DNS records from time 0.000 to time 2.3056 and DNS records from time 2056.890 to time 2058.032 can not be in same stream (flow). please help me

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2019-08-25 08:07:04 +0000

Jaap gravatar image

Since UDP is a connectionless transport protocol it is impossible to determine the beginning and end of a packet flow between endpoints from the packet flow itself, without looking into the higher layer protocols. It might be even that the required info is not there either, but signalled in a separate protocol (have a look at SIP/SDP and RTP).

So for simple UDP stream tracking all it can do is look at the IP/port tuples and match that to streams. The time when these packets flow does not mean anything to UDP.

edit flag offensive delete link more


thanks so much for your help dear jaap

rona gravatar imagerona ( 2019-08-25 13:32:49 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2019-08-25 05:15:36 +0000

Seen: 2,013 times

Last updated: Aug 25 '19