This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

stream number for udp

0

i want to ask the wireshark developers if there is any plan to add the udp stream numbers like we have for tcp streams. and was there any specific reason to use stream numbers only for tcp ?

asked 17 Nov '12, 00:15

viks's gravatar image

viks
16447
accept rate: 0%


One Answer:

0

Since TCP is a connection orientated protocol with a distinctive session start and end, it is possible to determine which session/stream a packet belongs to by looking at the TCP headers alone.

UDP is a connectionless protocol, which means every packet is basically on its own. Only the upper layer protocols can determine whether a packet belongs to a certain session.

One thing that could be done is link UDP packets into a stream if they are less than a (configurable) timeout apart. But that might give funny results for some protocols.

Any particular reason you need this functionality?

answered 18 Nov '12, 05:01

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

i am not able to get you when you say that to link udp pkts into a stream we can choose a configurable timeout value. why at all we need to do that when we can link udp (or even tcp)packets into a stream based on the 5 tuple ? one reason is the equivalence between tcp & udp where we will have a stream no for each tcp or udp flow as shown by wireshark. other is writing scripts using tshark using various filters where udp.stream can also serve purpose in several scenarios like tcp.stream.

(19 Nov '12, 11:27) viks

Maybe the answers at Streams and UDP will provide some additional clarity.

(19 Nov '12, 14:15) Bill Meier ♦♦

Many UDP protocols use the same 5-tuple for different streams. With TCP, they are separated by the closure of the first stream (FIN/ACK, ACK,FIN/ACK,ACK) and the creation of a new stream (SYN,SYN/ACK,ACK).

In UDP there is no session boundary at the UDP layer, the only way to differentiate between two UDP streams with the same 5-tuple would be to use a timeout and assume that when two packets with the same 5-tuple have a time difference larger than the timeout, they would belong to two different streams. I think streams for UDP can better be defined at the higher layer protocols on top of UDP.

(20 Nov '12, 01:25) SYN-bit ♦♦