How could Wireshark pick out the streams of UDP or TCP?
how could wireshark to pick out TCP or UDP stream ?
what's the principle of this function of wireshark?
1 Answer
- Sort by
oldest newest most voted
0
A so called TCP or UDP 'stream' is a representation of a transport layer connection between two nodes. These connections are defined by their network layer source and destination addresses and transport layer ports, and for TCP by their state.
Wireshark assigns an index number to each of these streams it sees. Therefore it looks at the addresses and port numbers and keeps record of this combination. If the combination is new it assigns the next index number, if it has been seen before it retrieves the index number for that steam. The index number is then added as a generated field to the transport layer.
An added complication is that TCP connections can reuse the same address and port combination for a different transport layer connection. This is because TCP is a connection oriented protocol. Therefore Wireshark also keeps track of TCP connection opening and closing (SYN, FIN/RST flags). UDP, being connection-less, does not provide for this.
Your Answer
Please start posting anonymously - your entry will be published after you log in or create a new account.
This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.
Comments