OSQA is unmaintained. Help us figure out where to go from here.

I just watched a video by Laura Chappell talking about stream index and that WS starts at 0 and works its way up with each new conversation. I assumed that each new conversation would have to start with a Syn, Syn/Ack, Syn, but when I started looking at my streams and filtering on just one particular stream, I found quite a few without the 3 way handshake. So what does this mean?

Ex. Stream number 39 when I open this up and sort the stream by number so it starts with the first packet, it shows the flag being PSH, ACK and in the info section shows Application data, Application data. This stream is only 15 packets long and doesn't have a FIN bit in the stream either.

Thanks,

asked 16 Feb, 06:12

rock90's gravatar image

rock90
2191014
accept rate: 0%

edited 16 Feb, 07:28

cmaynard's gravatar image

cmaynard ♦♦
9.2k838140


Streams do not have to start with a handshake to have a number assigned. Wireshark does it by looking at the 5 Tuple: source IP, source port, destination IP, destination port, and layer 4 protocol (in your case: TCP). So when a new combination is seen it gets the next stream index.

There's one exception to the rule: if Wireshark sees a 5 Tuple and another identical 5 Tuple starting with new TCP handshake, it will also increase the stream index.

For more information about 5 Tuple handling, there's this blog entry: https://blog.packet-foo.com/2015/03/tcp-analysis-and-the-five-tuple/

permanent link

answered 16 Feb, 07:14

Jasper's gravatar image

Jasper ♦♦
23.6k551283
accept rate: 18%

Thanks Jasper, I will definitely check out your blog.

(16 Feb, 09:34) rock90
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×742
×19
×5
×3

question asked: 16 Feb, 06:12

question was seen: 709 times

last updated: 16 Feb, 09:34

p​o​w​e​r​e​d by O​S​Q​A