[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 636
  • Last Modified:

Wireshark - How to see both sides of a tcp conversation?

I'm trying to create a filter on a capture file that shows me both sides of the tcp conversation between my laptop and a server.

I thought that tcp.srcport == xxxxxx would do it.  I've done this before, but at the moment, how I've done it escapes me.  I want to see something like

laptop ip.src xxx  server ip.dst xxx syn
server ip.src xxx  laptop ip.dst xxx syn-ack
laptop ip.src xxx server ip.dst xxx ack

tcp.srcport == xxx is displaying
laptop ip.src xxx  server ip.dst xxx syn
laptop ip.src xxx server ip.dst xxx ack

Who can help me out with creating the filter here?

Thanks
0
Westez
Asked:
Westez
  • 3
  • 2
2 Solutions
 
WestezAuthor Commented:
I've got it, it's tcp.port == xxxxxx

Who can show me another way?
0
 
bcbigbCommented:
Worry about the TCP flags after you get the initial conversation filtered.

Start with something like:

"ip.addr eq 192.168.5.1 and ip.addr eq 192.168.5.100"

...which can be easily generated by selecting a packet between the desired source/dest addresses, right-clicking and selecting "Conversation Filter" --> "IP"


Then you can append whatever other filter characteristics you want, such as SYNs only:

" && (tcp.flags.syn == 1)"

or ACKs only:

" && (tcp.flags.ack == 1)"

(note, remember to be careful about ANDs vs ORs... if you applied one or the other of the above, you will keep SYN/ACKs.  If you appended *both* of the above you would *only* get SYN/ACK packets, and not one or the other)

to do one or the other, append the following to the above:

" && ((tcp.flags.syn == 1) || (tcp.flags.ack == 1))"


Hopefully this answers your question...

If you're getting too many packets and are sure you only want this conversation, you can write a capture filter to keep only this TCP conversation in Wireshark...

~BC
0
 
bcbigbCommented:
tcp.port will only filter packets with a certain source or dest. port #, which will not filter either the conversation only nor will it filter acks or syns or any other packets with specific flags.
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
bcbigbCommented:
The first filter is all you're looking for if you want just the conversation between the computers. If you want filters to do other things or filter more specifically let me know.
0
 
Rick_O_ShayCommented:
The syntax for a tcp connection is:
ip.addr==11.10.16.6 && tcp.port==51415 && ip.addr==11.10.24.11 && tcp.port==113

An easy way to filter it is go to statistics then conversations and click the TCP tab {if it is TCP}.
Right click the session in there and apply as filter/selected/A to B.
0
 
WestezAuthor Commented:
Hey thanks a bunch guys.  I appreciate your cluing me in to some of the finer details.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now