Dragon0x40
asked on
find same packet in wireshark
How to find the same packet in wireshark?
I want to take a capture simultaneously on a client and a server and I want to match a packet that left the workstation and went to the server.
I filter for the same source and destination ip address and tcp ports and the seq and ack numbers match but I find multiple packets on the server that match all the same values as the packet that left the workstation.
Is there some value that makes a packet unique?
Thanks
I want to take a capture simultaneously on a client and a server and I want to match a packet that left the workstation and went to the server.
I filter for the same source and destination ip address and tcp ports and the seq and ack numbers match but I find multiple packets on the server that match all the same values as the packet that left the workstation.
Is there some value that makes a packet unique?
Thanks
ASKER
the packet from the client has an ip identification field of 0x84de and if I right click on that and choose prepare filter for selected it creates a display filter of ip.id==0x84de and then I put that same display filter into the server capture
In the server capture using the identification field as a display filter does seem to narrow the search down but when i filter for ip.id==0x84de for example I get multiple packets (24 in this capture) and not even the same source and destination ip addresses.
if on the server I filter for the ip.id==0x84de plus the source and destination ports that narrows it down to a single packet. for example: ((ip.id==0x84de) && (tcp.src.port==1123)) && (tcp.dstport==443)
so it seems the identification field value gets reused and is not enough in a large packet capture to match up the packet that was sent from the client to the server and additional filter fields are necessary
The identification field does seem to work but is there an easier way?
In the server capture using the identification field as a display filter does seem to narrow the search down but when i filter for ip.id==0x84de for example I get multiple packets (24 in this capture) and not even the same source and destination ip addresses.
if on the server I filter for the ip.id==0x84de plus the source and destination ports that narrows it down to a single packet. for example: ((ip.id==0x84de) && (tcp.src.port==1123)) && (tcp.dstport==443)
so it seems the identification field value gets reused and is not enough in a large packet capture to match up the packet that was sent from the client to the server and additional filter fields are necessary
The identification field does seem to work but is there an easier way?
ASKER
https://www.experts-exchange.com/questions/21053894/About-identification-field-in-an-IP-packet.html
Check this site: http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/ip-packet.html
The Identifcation field is a "16-bit number which together with the source address uniquely identifies this packet - used during reassembly of fragmented datagrams" In other words ... this is an unique identifier to your packet ...
(Looks like a wireshark display filter in the form of (ip.id == 0x0d0e) && (ip.src == 192.168.1.67) should let me trace a specific packet anywhere in the network up until the private ip address gets translated to a routable address.)
Check this site: http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/ip-packet.html
The Identifcation field is a "16-bit number which together with the source address uniquely identifies this packet - used during reassembly of fragmented datagrams" In other words ... this is an unique identifier to your packet ...
(Looks like a wireshark display filter in the form of (ip.id == 0x0d0e) && (ip.src == 192.168.1.67) should let me trace a specific packet anywhere in the network up until the private ip address gets translated to a routable address.)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
TCP/IP Core Protocols
http://technet.microsoft.com/en-us/library/cc958827.aspx