THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Why are some TCP conversations shown backwards/reversed?

  • retag add tags

When viewing TCP conversations, the flow appears backwards. I would expect "Address A" to be the source and "Address B" to be destination like it is most of the time. In both examples, I captured TCP SYN & SYN ACKs, but one example shows the correct direction and the other is reversed.

Edit: links to files at the bottom. I also found another example with the same source and dest as the backwards example which shows correctly. My thought is that Wireshark is seeing the source port higher than the destination port so it orders them as such.

Win10 x64 Wireshark Version 3.2.7 (v3.2.7-0-gfb6522d84a3a)

Backwards:

image description

Correct:

image description

Edit: Correct with same source and dest as the backwards one:

image description

Backwards cap: https://www.dropbox.com/s/wpeyc0nui6i...

Not backwards cap: https://www.dropbox.com/s/3as7qeabusy...

Not backwards with same src/dst as original: https://www.dropbox.com/s/0nxed4bwb87...

johns287's avatar
3
johns287
asked 2020-10-15 19:23:01 +0000, updated 2020-10-15 20:25:36 +0000
edit flag offensive 0 remove flag close merge delete

Comments

You can put the files on a public share, e.g. Google Drive, DropBox etc. and post a link to them back here as a comment.

grahamb's avatar grahamb (2020-10-15 20:00:32 +0000) edit
more
  • delete

Thanks. I edited the original post with the files. I also found another example with the same source and dest as the backwards example which shows correctly. My thought is that Wireshark is seeing the source port higher than the destination port so it orders them as such.

johns287's avatar johns287 (2020-10-15 20:25:24 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

I think the assumption is that the ephemeral client port is typically larger than the static server port and that the client starts the connection (conversation).

epan/conversation_table.c - add_conversation_table_data_with_conv_id()

if (src_port > dst_port) {
    addr1 = src;
    addr2 = dst;
    port1 = src_port;
    port2 = dst_port;
} else if (src_port < dst_port) {
    addr2 = src;
    addr1 = dst;
    port2 = src_port;
    port1 = dst_port;
} else if (cmp_address(src, dst) < 0) {
    addr1 = src;
    addr2 = dst;
    port1 = src_port;
    port2 = dst_port;
} else {
    addr2 = src;
    addr1 = dst;
    port2 = src_port;
    port1 = dst_port;
}
Chuckc's avatar
3k
Chuckc
answered 2020-10-16 03:13:47 +0000, updated 2020-10-16 03:15:09 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks! I'll make a request on the Gitlab site to change this feature to order the hosts according to the 3 way handshake.

johns287's avatar johns287 (2020-10-16 12:28:10 +0000) edit
more
  • delete

Gitlab issue 16919

Chuckc's avatar Chuckc (2021-02-03 17:23:24 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer