Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

find same packet in wireshark

Posted on 2014-03-02
4
Medium Priority
?
2,217 Views
Last Modified: 2014-03-03
How to find the same packet in wireshark?

I want to take a capture simultaneously on a client and a server and I want to match a packet that left the workstation and went to the server.

I filter for the same source and destination ip address and tcp ports and the seq and ack numbers match but I find multiple packets on the server that match all the same values as the packet that left the workstation.

Is there some value that makes a packet unique?

Thanks
0
Comment
Question by:Dragon0x40
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 37

Expert Comment

by:bbao
ID: 39898393
Eevery single IP packet has an Identification field. "When an IP packet is sent by the source, it places a unique value in the Identification field." You may find the ID field from every packet captured by WireShark.

TCP/IP Core Protocols
http://technet.microsoft.com/en-us/library/cc958827.aspx
0
 

Author Comment

by:Dragon0x40
ID: 39898771
the packet from the client has an ip identification field of 0x84de and if I right click on that and choose prepare filter for selected it creates a display filter of ip.id==0x84de and then I put that same display filter into the server capture

In the server capture using the identification field as a display filter does seem to narrow the search down but when i filter for ip.id==0x84de for example I get multiple packets (24 in this capture) and not even the same source and destination ip addresses.

if on the server I filter for the ip.id==0x84de plus the source and destination ports that narrows it down to a single packet. for example: ((ip.id==0x84de) && (tcp.src.port==1123)) && (tcp.dstport==443)

so it seems the identification field value gets reused and is not enough in a large packet capture to match up the packet that was sent from the client to the server and additional filter fields are necessary

The identification field does seem to work but is there an easier way?
0
 

Author Comment

by:Dragon0x40
ID: 39899144
http://www.experts-exchange.com/Programming/Languages/Pascal/Delphi/Q_21053894.html

Check this site: http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/ip-packet.html
The Identifcation field is a "16-bit number which together with the source address uniquely identifies this packet - used during reassembly of fragmented  datagrams" In other words ... this is an unique identifier to your packet ...

(Looks like a wireshark display filter in the form of (ip.id == 0x0d0e) && (ip.src == 192.168.1.67) should let me trace a specific packet anywhere in the network up until the private ip address gets translated to a routable address.)
0
 
LVL 37

Accepted Solution

by:
bbao earned 2000 total points
ID: 39899625
good findings, well done.

> The identification field does seem to work but is there an easier way?

on the gateway server, you have to combine at least source IP as the criteria to uniquely locate a packet.

> Looks like a wireshark display filter in the form of (ip.id == 0x0d0e) && (ip.src == 192.168.1.67) should let me trace a specific packet anywhere in the network up until the private ip address gets translated to a routable address.)

yes and yes.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question