OSQA is unmaintained. Help us figure out where to go from here.

I'm writing a dissector for a protocol that I have to work with. This protocol runs atop TCP and is stateful.

In order to dissect the fields correctly, I need to identify which endpoint opened the TCP connection (the client).

Is there a way to get this info from the tcp dissector? Would I have to write a tap? I'm not so clear on how to do this in lua.

asked 18 Aug '11, 13:29

Flame's gravatar image

accept rate: 0%

Cross posted to StackOverflow http://stackoverflow.com/questions/7113810/wireshark-lua-dissector-detect-which-endpoint-opened-the-connection.

(18 Aug '11, 13:38) Flame

In general, the TCP dissector doesn't, and can't have that information. If you have not captured the initial 3-way handshake, all you have are data segments and ACKs, and there's no way, from just the TCP header, to determine which of the two endpoints opened the connection.

If this is a protocol where there's a standard server port, you could use the port number. If not, you might be able to have a tap listener for the TCP tap, to look at all the packets and hope at least one of them is a SYN packet so you can see the initial SYN or the SYN+ACK and from that determine which side opened the connection - but if you don't, you're out of luck.


answered 18 Aug '11, 18:24

Guy%20Harris's gravatar image

Guy Harris ♦♦
accept rate: 19%

My best bet would be to see who sends data first then. After the handshake it appears that the client always sends data first.

There are multiple services that speak this protocol, and they each use a different default listening port.

(18 Aug '11, 18:43) Flame

You might be capturing in the middle of a session, and you might happen to start capturing at a point after the client has sent something to the server but before the server has responded. Those periods of time probably constitute a minority of the total time of the session, so there's probably a good, but not 100%, chance that the endpoint that sent the first non-empty TCP segment is the client.

If you know all the possible listening ports, that's just a general case of "you could use the port number".

Note also that if it's very stateful, capturing in the middle could lose other info.

(18 Aug '11, 19:01) Guy Harris ♦♦

nop. at least SMTP servers do respond with data immediately after handshake. http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol#SMTP_transport_example I guess your milage may vary.

(08 Nov '11, 20:30) ShomeaX

Hence "good, but not 100%". Most protocols don't work the way SMTP does here.

(09 Nov '11, 10:30) Guy Harris ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: 18 Aug '11, 13:29

Seen: 2,781 times

Last updated: 09 Nov '11, 10:30

p​o​w​e​r​e​d by O​S​Q​A