Ask Your Question
0

Follow TCP stream only shows one side of the conversation - why?

asked 2022-09-07 01:51:36 +0000

kai.hackemesser@gmail.com gravatar image

updated 2022-09-07 09:00:03 +0000

Hi,

I was filtering a TCP conversation with wireshark, and in the packet view I can clearly see requests and responses between two sockets - this is on loopback traffic capture. But when I select "Follow > TCP Stream" I only see the outbound stream (red), not the inbound (blue). I tried multiple times, also with other streams, restarted wireshark.

How do I fix this? [edit] Here is the recorded TCP conversation. open it with Wireshark, then try for yourself (Using Wireshark 3.6.7 Windows 11 64bit) https://drive.google.com/file/d/1USJx...

edit retag flag offensive close merge delete

Comments

Can you add a column for tcp.stream and verify inbound/outbound are the same stream number.

Chuckc gravatar imageChuckc ( 2022-09-07 02:52:31 +0000 )edit

Thanks, done that, the stream Id is consistently the same. I did an export of selected packets and reopened it in wireshark, the problem persists. I can share the exported stream for testing on your side, if you tell me how ...

kai.hackemesser@gmail.com gravatar image[email protected] ( 2022-09-07 04:10:44 +0000 )edit

Place it on a public file share such as Google, Onedrive or Dropbox then update the question with a link to the file.

Chuckc gravatar imageChuckc ( 2022-09-07 04:19:26 +0000 )edit

It would be rather weird if both ways are identified with the same tcp stream. What version of wireshark are you running?

I have cases where I have to manually combine streams due to the way the capture takes place on a device performing NAT. so outbound shows the NATted source just as inbound but if you get both sides AFTER NAT then it's not the same stream according to wireshark. but it is always clear.

Filtering on an OR with both stream numbers solves that issue.

hugo.vanderkooij gravatar imagehugo.vanderkooij ( 2022-09-07 06:00:57 +0000 )edit

Hi, Hugo, Each TCP connection comes with bidirectional datastream. NAT is not involved here, two localhost ports are talking to each other. They do and I see it in the recorded packets. Just not in the Follow TCP stream window, where one direction is supposed to be red and the other blue. Blue is missing.

kai.hackemesser@gmail.com gravatar image[email protected] ( 2022-09-07 08:56:34 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-09-07 10:45:37 +0000

Jaap gravatar image

It's the hickup at the TCP connection establishment (the TCP reset in frame 2) that throws things off. You can see this if you select to 'Ignore' frame 2 and then do the follow TCP stream.

edit flag offensive delete link more

Comments

Is this something worth a bug report for Wireshark, and where would I place that?

kai.hackemesser@gmail.com gravatar image[email protected] ( 2022-09-09 03:13:44 +0000 )edit

This is a nice test case for sure. You can file an issue at https://gitlab.com/wireshark/wireshark/-/issues

Jaap gravatar imageJaap ( 2022-09-09 05:53:00 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2022-09-07 01:51:36 +0000

Seen: 922 times

Last updated: Sep 07 '22