THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Follow TCP stream only shows one side of the conversation - why?

Hi,

I was filtering a TCP conversation with wireshark, and in the packet view I can clearly see requests and responses between two sockets - this is on loopback traffic capture. But when I select "Follow > TCP Stream" I only see the outbound stream (red), not the inbound (blue). I tried multiple times, also with other streams, restarted wireshark.

How do I fix this? [edit] Here is the recorded TCP conversation. open it with Wireshark, then try for yourself (Using Wireshark 3.6.7 Windows 11 64bit) https://drive.google.com/file/d/1USJx...

kai.hackemesser@gmail.com's avatar
3
[email protected]
asked 2022-09-07 01:51:36 +0000, updated 2022-09-07 09:00:03 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Can you add a column for tcp.stream and verify inbound/outbound are the same stream number.

Chuckc's avatar Chuckc (2022-09-07 02:52:31 +0000) edit
more
  • delete

Thanks, done that, the stream Id is consistently the same. I did an export of selected packets and reopened it in wireshark, the problem persists. I can share the exported stream for testing on your side, if you tell me how ...

kai.hackemesser@gmail.com's avatar [email protected] (2022-09-07 04:10:44 +0000) edit
more
  • delete

Place it on a public file share such as Google, Onedrive or Dropbox then update the question with a link to the file.

Chuckc's avatar Chuckc (2022-09-07 04:19:26 +0000) edit
more
  • delete

It would be rather weird if both ways are identified with the same tcp stream. What version of wireshark are you running?

I have cases where I have to manually combine streams due to the way the capture takes place on a device performing NAT. so outbound shows the NATted source just as inbound but if you get both sides AFTER NAT then it's not the same stream according to wireshark. but it is always clear.

Filtering on an OR with both stream numbers solves that issue.

hugo.vanderkooij's avatar hugo.vanderkooij (2022-09-07 06:00:57 +0000) edit
more
  • delete

Hi, Hugo, Each TCP connection comes with bidirectional datastream. NAT is not involved here, two localhost ports are talking to each other. They do and I see it in the recorded packets. Just not in the Follow TCP stream window, where one direction is supposed to be red and the other blue. Blue is missing.

kai.hackemesser@gmail.com's avatar [email protected] (2022-09-07 08:56:34 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

It's the hickup at the TCP connection establishment (the TCP reset in frame 2) that throws things off. You can see this if you select to 'Ignore' frame 2 and then do the follow TCP stream.

Jaap's avatar
13.7k
Jaap
answered 2022-09-07 10:45:37 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Is this something worth a bug report for Wireshark, and where would I place that?

kai.hackemesser@gmail.com's avatar [email protected] (2022-09-09 03:13:44 +0000) edit
more
  • delete

This is a nice test case for sure. You can file an issue at https://gitlab.com/wireshark/wireshark/-/issues

Jaap's avatar Jaap (2022-09-09 05:53:00 +0000) edit
more
  • delete

18333: Follow -> TCP Stream fails to present the conversation if the stream has a package issue

Chuckc's avatar Chuckc (2022-09-10 01:51:23 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer