Ask Your Question
0

session and distinguish TCP or UDP

asked 2022-03-02 06:29:32 +0000

updated 2022-03-02 19:57:50 +0000

cmaynard gravatar image

I have a large pcap file and I have some session about 10 session. But I don't know they're TCP or UDP. With -Y tshark has tcp.dstport or tcp.scrport.
I have to find out my session is TCP or UDP. How can I find out transmission protocol? How find out my port is TCP or UDP?
ip.src I can access to port src without mention to tcp or udp.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-03-03 11:59:25 +0000

SYN-bit gravatar image

When looking for something in packets that you don't know, start by filtering on what you do know. So, in the search of these sessions, do you know who (which IP address) was generating these sessions? And do you know when these sessions were generated?

You might also take a look at Statistics -> Conversations and browse through the TCP and UDP session list.

If that also does not work, then start filtering out everything that is not the traffic you are looking for. Make a filter not (udp.port in {53 123 [add other ports]} or tcp.port in {80 443 [add other ports]}) to make the list of packets to scroll through smaller. After doing this, you can open up Statistics -> Conversations again and enable Limit to display filter.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2022-03-02 06:05:45 +0000

Seen: 153 times

Last updated: Mar 03 '22