I'm writing a dissector for a protocol that I have to work with. This protocol runs atop TCP and is stateful.
In order to dissect the fields correctly, I need to identify which endpoint opened the TCP connection (the client).
Is there a way to get this info from the tcp dissector? Would I have to write a tap? I'm not so clear on how to do this in lua.
asked 18 Aug '11, 13:29
In general, the TCP dissector doesn't, and can't have that information. If you have not captured the initial 3-way handshake, all you have are data segments and ACKs, and there's no way, from just the TCP header, to determine which of the two endpoints opened the connection.
If this is a protocol where there's a standard server port, you could use the port number. If not, you might be able to have a tap listener for the TCP tap, to look at all the packets and hope at least one of them is a SYN packet so you can see the initial SYN or the SYN+ACK and from that determine which side opened the connection - but if you don't, you're out of luck.
answered 18 Aug '11, 18:24
Guy Harris ♦♦