gmane.network.wireshark.user

Re: what does the TCP stream mean in wireshark

Sake Blok — 2012-05-23T18:19:51

Version 1.6.6 should make a distinction between two sessions with the same ip/port combinations. Are you able to post the file here (if not to big) or else create a bug-report on bugs.wireshark.org? You can also mail me directly if you want to limit the exposure of the file.

Cheers,
Sake


On 23 mei 2012, at 17:21, nangergong wrote:


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org?subject=unsubscribe

Re: what does the TCP stream mean in wireshark

nangergong — 2012-05-23T15:21:40

Version 1.6.6

On Wed, May 23, 2012 at 5:09 PM, Sake Blok <sake-dNWzXRSXXtjz+pZb47iToQ< at >public.gmane.org> wrote:

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org?subject=unsubscribe

Re: what does the TCP stream mean in wireshark

Mason, Kevin — 2012-05-23T12:40:54

If you watch a given stream long enough, there will be connection re-use and you will see a sequence of connections.  Also, some windows boxes use TCP TIME-WAIT Assassination, which rapidly reuses tcp ports.  http://blogs.technet.com/b/networking/archive/2010/08/11/how-tcp-time-wait-assassination-works.aspx
---------
~KEM


On May 23, 2012, at 8:13 AM, nangergong wrote:

Thanks! But previously I saw a tcp stream where there are several TCP connections (I mean mutiple SYN-SYN/ACK-ACK handshakes)

On Wed, May 23, 2012 at 12:48 PM, Martin Visser <martinvisser99-Re5JQEeQqe8AvxtiuMwx3w< at >public.gmane.org<mailto:martinvisser99-Re5JQEeQqe8AvxtiuMwx3w< at >public.gmane.org>> wrote:
Nangergong,

A TCP stream is a single connection between two IP addresses, between the two same ports. If you see the beginning you'll see the SYN-SYN/ACK-ACK handshake, an will also see the sequence numbers increasing. Some protocols like HTTP/1.1 can have multiple higher level conversations on the one connection, so I am not sure that is what

Re: what does the TCP stream mean in wireshark

Sake Blok — 2012-05-23T15:09:15

Those sessions should be treated as separate. This has been implemented a few years ago already. Which version of Wireshark are you using?

Cheers,
Sake


On 23 mei 2012, at 16:31, nangergong wrote:


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org?subject=unsubscribe

Re: what does the TCP stream mean in wireshark

nangergong — 2012-05-23T14:31:03

yes

On Wed, May 23, 2012 at 4:22 PM, <kcullimo-fHTHtPhtvzrQT0dZR+AlfA< at >public.gmane.org> wrote:

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org?subject=unsubscribe

Re: what does the TCP stream mean in wireshark

2012-05-23T14:22:15

----- Start Original Message -----
Sent: Wed, 23 May 2012 14:56:39 +0200
From: nangergong <nangergong-Re5JQEeQqe8AvxtiuMwx3w< at >public.gmane.org>
To: Community support list for Wireshark <wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>
Subject: Re: [Wireshark-users] what does the TCP stream mean in wireshark


Multiple handshakes wherein the same source & destination ports were re-used?


----- End Original Message -----
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org?subject=unsubscribe

Re: what does the TCP stream mean in wireshark

2012-05-23T14:15:25

----- Start Original Message -----
Sent: Wed, 23 May 2012 14:56:39 +0200
From: nangergong <nangergong-Re5JQEeQqe8AvxtiuMwx3w< at >public.gmane.org>
To: Community support list for Wireshark <wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>
Subject: Re: [Wireshark-users] what does the TCP stream mean in wireshark


Multiple handshakes wherein the same source & destination ports were re-used?


----- End Original Message -----
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org?subject=unsubscribe

Re: what does the TCP stream mean in wireshark

nangergong — 2012-05-23T12:56:39

I used a mobile browser in a HTC smartphone to access some websites and I
used wireshark to capture the packets between the mobile browser and the
website servers.

On Wed, May 23, 2012 at 2:49 PM, Boonie <newsboonie-Re5JQEeQqe8AvxtiuMwx3w< at >public.gmane.org> wrote:

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org?subject=unsubscribe

Re: what does the TCP stream mean in wireshark

Giles Coochey — 2012-05-23T12:55:24

Or he might have a Layer-2 Spanning Tree Loop...

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org?subject=unsubscribe

Re: what does the TCP stream mean in wireshark

Boonie — 2012-05-23T12:49:35

Were that packets of a cheap embeded device? Sounds like a buggy TCP stack to me.

  ----- Original Message ----- 
  From: nangergong 
  To: Community support list for Wireshark 
  Sent: Wednesday, May 23, 2012 2:13 PM
  Subject: Re: [Wireshark-users] what does the TCP stream mean in wireshark


  Thanks! But previously I saw a tcp stream where there are several TCP connections (I mean mutiple SYN-SYN/ACK-ACK handshakes)


  On Wed, May 23, 2012 at 12:48 PM, Martin Visser <martinvisser99-Re5JQEeQqe8AvxtiuMwx3w< at >public.gmane.org> wrote:

    Nangergong,


    A TCP stream is a single connection between two IP addresses, between the two same ports. If you see the beginning you'll see the SYN-SYN/ACK-ACK handshake, an will also see the sequence numbers increasing. Some protocols like HTTP/1.1 can have multiple higher level conversations on the one connection, so I am not sure that is what you might be seeing?

    Regards, Martin

    MartinVisser99-Re5JQEeQqe8AvxtiuMwx3w< at >public.gmane.org



    On 23 May 2012 2

Re: what does the TCP stream mean in wireshark

nangergong — 2012-05-23T12:13:33

Thanks! But previously I saw a tcp stream where there are several TCP
connections (I mean mutiple SYN-SYN/ACK-ACK handshakes)

On Wed, May 23, 2012 at 12:48 PM, Martin Visser <martinvisser99-Re5JQEeQqe8AvxtiuMwx3w< at >public.gmane.org>wrote:

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org?subject=unsubscribe

Re: what does the TCP stream mean in wireshark

Martin Visser — 2012-05-23T10:48:29

Nangergong,

A TCP stream is a single connection between two IP addresses, between the
two same ports. If you see the beginning you'll see the SYN-SYN/ACK-ACK
handshake, an will also see the sequence numbers increasing. Some protocols
like HTTP/1.1 can have multiple higher level conversations on the one
connection, so I am not sure that is what you might be seeing?

Regards, Martin

MartinVisser99-Re5JQEeQqe8AvxtiuMwx3w< at >public.gmane.org


On 23 May 2012 20:28, nangergong <nangergong-Re5JQEeQqe8AvxtiuMwx3w< at >public.gmane.org> wrote:

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org?subject=unsubscribe

Re: what does the TCP stream mean in wireshark

NITIN GOYAL — 2012-05-23T10:46:01

it will show the data captured over the whole TCP stream  you have selected.

On Wed, May 23, 2012 at 3:58 PM, nangergong <nangergong-Re5JQEeQqe8AvxtiuMwx3w< at >public.gmane.org> wrote:

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org?subject=unsubscribe

what does the TCP stream mean in wireshark

nangergong — 2012-05-23T10:28:32

HI, all:

    In wireshark there is an option "Follow the TCP stream", I'm wondering
what does it mean? it seems that in such a TCP stream there are multiple
TCP connections.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org?subject=unsubscribe

Wireshark 1.6.8 is now available

Gerald Combs — 2012-05-22T18:13:12

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm proud to announce the release of Wireshark 1.6.8.

What is Wireshark?

   Wireshark is the world's most popular network protocol analyzer.
   It is used for troubleshooting, analysis, development and
   education.

What's New

  Bug Fixes

   The following vulnerabilities have been fixed.

     o wnpa-sec-2012-08

       Infinite and large loops in the ANSI MAP, ASF, BACapp,
       Bluetooth HCI, IEEE 802.11, IEEE 802.3, LTP, and R3 dissectors
       have been fixed. Discovered by Laurent Butti. (Bugs 6805,
       7118, 7119, 7120, 7121, 7122, 7124, 7125)

       Versions affected: 1.4.0 to 1.4.12, 1.6.0 to 1.6.7.

     o wnpa-sec-2012-09

       The DIAMETER dissector could try to allocate memory improperly
       and crash. (Bug 7138)

       Versions affected: 1.4.0 to 1.4.12, 1.6.0 to 1.6.7.

     o wnpa-sec-2012-10

       Wireshark could crash on SPARC processors due to misaligned
       memory. Discovered by Klaus Heckelmann. (Bug 7221)

       Versio

Re: Should the "export as text" item be in an"Export Human-readable..." item in the File menu?

Guy Harris — 2012-05-22T17:48:19

On May 19, 2012, at 8:31 PM, <kcullimo-fHTHtPhtvzrQT0dZR+AlfA< at >public.gmane.org> <kcullimo-fHTHtPhtvzrQT0dZR+AlfA< at >public.gmane.org> wrote:


It might, although I might think of a "report" as being a summary table or graph that pops up in a window rather than something that gives information for every packet.  Do those tools use "report" for options that write out, for example, a dissection summary or detail for all or specified packets?

(Also, for the SSL session keys, would "Export" or "Save" or some other verb be appropriate?)

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org?subject=unsubscribe

Re: Should the "export as text" item be in an"Export Human-readable..." item in the File menu?

Guy Harris — 2012-05-22T11:48:25

On May 19, 2012, at 4:33 PM, Guy Harris wrote:


OK, I've checked in a change to do that.

I'll also be splitting "Save As" into:

File -> Save As - *always* writes out *every* packet, and, if it succeeds, makes the newly-saved file the current file;

File -> Export Specified Packets (verb subject to discussion) - *can* write out every packet, but offers the choices that "Save As" currently offers for selecting packets, and *never* makes the newly-saved file the current file;

which may clear up one of the issues from bug 6640.

(I've already changed "Save" so that, if you've edited the comments in a non-temporary file, it just saves on top of the existing file - using "safe save", i.e. "write to a new file and then rename the new file on top of the old file", as that's required by the way we work, and is *also* what should be done, so that writing the file out doesn't permanently destroy data if it fails in the middle.)

___________________________________________________________________________
Sent via

Re: RTP stats explaination

RUOFF, LARS (LARS — 2012-05-21T07:43:39

Hi,

Are you using some sort of silence suppression (or voice activity detection) ?
If not, then the packets of your stream should be evenly spaced over time, i.e. "Max delta" should not be very different from the RTP packetization time. Go to the packets with high "Delta" and verify that you have gaps in your RTP stream. It seems you have some timing issues with your app.

Lars



-----Original Message-----
From: wireshark-users-bounces-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org [mailto:wireshark-users-bounces-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org] On Behalf Of Arif Hossain
Sent: vendredi 18 mai 2012 12:22
To: wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org; netfilter-devel-u79uwXL29TY76Z2rM5mHXA< at >public.gmane.org; netfilter-u79uwXL29TY76Z2rM5mHXA< at >public.gmane.org; CentOS mailing list; debian-user-0aAXYlwwYIJuHlm7Suoebg< at >public.gmane.org
Subject: [Wireshark-users] RTP stats explaination

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,
We are getting very poor quality of voice during testing of a

Re: DHCP option 66

Marco Zuppone — 2012-05-20T22:43:20

Hello,

from the packet seems really that the option 66 is not there.
I'm not a super-expert of dhcp options but I had a look to rfc2132.
There is stated that:
  This option is used to identify a TFTP server when the 'sname' field
  in the DHCP header has been used for DHCP options.

So maybe you'd try to ''play'' with option 52 as well:
This option is used to indicate that the DHCP 'sname' or 'file'
  fields are being overloaded by using them to carry DHCP options. A
  DHCP server inserts this option if the returned parameters will
  exceed the usual space allotted for options.

  If this option is present, the client interprets the specified
  additional fields after it concludes interpretation of the standard
  option fields.

  The code for this option is 52, and its length is 1.  Legal values
  for this option are:

          Value   Meaning
          -----   --------
            1     the 'file' field is used to hold options
            2     the 'sname' field is used to hold options
            3

Re: DHCP option 66

2012-05-20T22:03:54

There are a few test apps that do this also there is a perl script in cpan I believe. Google dhcp test client

Sent via BlackBerry by AT&T

-----Original Message-----
From: "Noam Birnbaum" <noam-uEr5Va4l1d+R7WqMdhRmu8k87cqNqjZ2< at >public.gmane.org>
Sender: wireshark-users-bounces-IZ8446WsY08EXbPK2k+St7NAH6kLmebB< at >public.gmane.org: Sun, 20 May 2012 14:48:55 
To: Community support list for Wireshark<wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>
Reply-To: Community support list for Wireshark <wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>
Cc: Community support list for Wireshark<wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>
Subject: Re: [Wireshark-users] DHCP option 66


Ahhhhhhhhhh!

Suggestions in how to manually form a DHCP discover that requests option 66? 

Sent from my iPhone

On May 19, 2012, at 3:57 PM, "Bob Carlson" <bob-Lz86LsyXXeaaMJb+Lgu22Q< at >public.gmane.org> wrote:


___________________________________________________________________________
Sent via:    Wireshark-users m

Re: DHCP option 66

Noam Birnbaum — 2012-05-20T21:48:55

Ahhhhhhhhhh!

Suggestions in how to manually form a DHCP discover that requests option 66? 

Sent from my iPhone

On May 19, 2012, at 3:57 PM, "Bob Carlson" <bob-Lz86LsyXXeaaMJb+Lgu22Q< at >public.gmane.org> wrote:


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request-IZ8446WsY0/dtAWm4Da02A< at >public.gmane.org?subject=unsubscribe