Ask Your Question
0

Why are some TCP conversations shown backwards/reversed?

asked 2020-10-15 19:23:01 +0000

johns287 gravatar image

updated 2020-10-15 20:25:36 +0000

When viewing TCP conversations, the flow appears backwards. I would expect "Address A" to be the source and "Address B" to be destination like it is most of the time. In both examples, I captured TCP SYN & SYN ACKs, but one example shows the correct direction and the other is reversed.

Edit: links to files at the bottom. I also found another example with the same source and dest as the backwards example which shows correctly. My thought is that Wireshark is seeing the source port higher than the destination port so it orders them as such.

Win10 x64 Wireshark Version 3.2.7 (v3.2.7-0-gfb6522d84a3a)

Backwards:

image description

Correct:

image description

Edit: Correct with same source and dest as the backwards one:

image description

Backwards cap: https://www.dropbox.com/s/wpeyc0nui6i...

Not backwards cap: https://www.dropbox.com/s/3as7qeabusy...

Not backwards with same src/dst as original: https://www.dropbox.com/s/0nxed4bwb87...

edit retag flag offensive close merge delete

Comments

You can put the files on a public share, e.g. Google Drive, DropBox etc. and post a link to them back here as a comment.

grahamb gravatar imagegrahamb ( 2020-10-15 20:00:32 +0000 )edit

Thanks. I edited the original post with the files. I also found another example with the same source and dest as the backwards example which shows correctly. My thought is that Wireshark is seeing the source port higher than the destination port so it orders them as such.

johns287 gravatar imagejohns287 ( 2020-10-15 20:25:24 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-10-16 03:13:47 +0000

Chuckc gravatar image

updated 2020-10-16 03:15:09 +0000

I think the assumption is that the ephemeral client port is typically larger than the static server port and that the client starts the connection (conversation).

epan/conversation_table.c - add_conversation_table_data_with_conv_id()

if (src_port > dst_port) {
    addr1 = src;
    addr2 = dst;
    port1 = src_port;
    port2 = dst_port;
} else if (src_port < dst_port) {
    addr2 = src;
    addr1 = dst;
    port2 = src_port;
    port1 = dst_port;
} else if (cmp_address(src, dst) < 0) {
    addr1 = src;
    addr2 = dst;
    port1 = src_port;
    port2 = dst_port;
} else {
    addr2 = src;
    addr1 = dst;
    port2 = src_port;
    port1 = dst_port;
}
edit flag offensive delete link more

Comments

Thanks! I'll make a request on the Gitlab site to change this feature to order the hosts according to the 3 way handshake.

johns287 gravatar imagejohns287 ( 2020-10-16 12:28:10 +0000 )edit

Gitlab issue 16919

Chuckc gravatar imageChuckc ( 2021-02-03 17:23:24 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2020-10-15 19:23:01 +0000

Seen: 835 times

Last updated: Oct 16 '20