How does Wireshark distinguish the client vs server packets?

asked 2023-06-08 13:30:46 +0000

saj gravatar image

updated 2023-06-22 17:47:11 +0000

cmaynard gravatar image

I want to distinguish the client vs server packets in a TCP stream using pyshark. Before doing so, I want to know how Wireshark distinguishes client vs server packets in TCP streams. Has anyone done the same thing in pyshark ? Let me know.

edit retag flag offensive close merge delete

Comments

Usually the client is the endpoint that initiates the connection. Easy for TCP, difficult for UDP.

grahamb gravatar imagegrahamb ( 2023-06-08 13:34:01 +0000 )edit

(No luck finding the previous discussion.)
Sometimes it is assumed client port (ephemeral) number is larger than server port number.

And there ya go - hit send and suddenly Google foo works.
Why are some TCP conversations shown backwards/reversed?

Chuckc gravatar imageChuckc ( 2023-06-08 14:54:49 +0000 )edit

I have captured pcap file from OT environment where many devices are talking at once. I need a solid base on how wireshark distinguishes the thing. Is it just port number or something else as well.

saj gravatar imagesaj ( 2023-06-08 15:04:16 +0000 )edit

See also TCP: Conversations Statistics loyalty to connections initiators

grahamb gravatar imagegrahamb ( 2023-06-08 15:53:44 +0000 )edit

When I do follow tcp stream, I see some packets being recognized falsely as client packet. For example, x11 event messages are generated by the server but it was put in the client side. The comparison of port seems good but does it always work like client ports are always larger. All I want is to distinguish incoming vs outgoing message belonging to the tcp stream. The first packet's incoming vs outgoing is an important part as the later packets can be labeled based on the first packet's information. what would be the most logical way to do so? @Chuckc and @grahamb

saj gravatar imagesaj ( 2023-06-12 10:16:55 +0000 )edit
see more comments