discrepancies between flow analysis between version 3.0.5 and 4.2.4

asked 2024-07-05 09:58:16 +0000

mba gravatar image

Analysing the same PCAP file between 2 version of Wireshark gives me different numbers of conversations (tcp flow)

  • Wireshark v3.0.5 (Conversations): 2270
  • Wireshark v4.2.4 (Conversations): 4370
1 Answer

answered 2024-07-05 11:36:19 +0000

SYN-bit gravatar image

A few questions:

  • Are you using the same system for both versions of Wireshark?
  • Are you using the same settings (try creating a new empty profile in both versions and see if the discrepancies go away)?
  • Are you seeing this with a particular pcap file only, or with many (all) of your files?

If that does not help, could you try to extract a few tcp sessions that exhibit the discrepancies into a new pcap file and share it so we can take a look at the issue?

