hi i am a beginner in wireshark and work on a thesis about botnet detection. in many Articles i posed with flow IP Address and Flow Port Number in opposite of Packet IP Address and Packet Port Number. Now My Important question is this: What is The Difference between flow and packet in wireshark? can you please help me? asked 30 Nov '15, 03:58  hamedmortazi |
One Answer:
From the point of view of IP address and port, there is no difference between flow and packet. From the vocabulary point of view, a "flow" in packet networks vernacular is a sequence of packets sent from the same source socket (a socket is a combination of IP address and port) to the same destination socket, usually for the same purpose (delivery of an amount of information which does not fit to a single packet). Plus bear in mind that port numbers form up a separate address space for each protocol: UDP port 5060 is not the same thing as TCP port 5060, although both are IANA assigned for SIP service. And some protocols, like GRE, do not work with ports at all, only with IP addresses. For convenience, Wireshark capture filter syntax permits to use just "port X", which has the meaning of "(protocol A and its port X) or (protocol B and its port X) or (protocol C and its port X)" etc. But it may be confusing for beginners, making the impression that port numbers are common for different protocols. answered 30 Nov '15, 06:01  sindy edited 30 Nov '15, 06:16 |
hi thanks for response now my problem is this: in wireshark how can i found packets in one session ,contains many packets with same ip address in source and destination?
Go to Statistics -> Conversations, you'll get a table of conversations (actually, flows) at different protocol levels. But I'm not sure I've understood your question properly.