Wireshark-users: Re: [Wireshark-users] Filtering sequence numbers between concurrent incoming TCP

From: Jeff Bruns <jeff.bruns@xxxxxxxxx>
Date: Mon, 3 May 2010 11:40:06 -0400
Richard-
Thank you, you answered my question. I had entirely overlooked the TCP sender's port number, having not occurred at the time that the port number will differ from message to message. Brain hiccup.

And as expected, the TCP port number of the first message is 54823, the second message 54824.

Thanks for the help.

Jeff Bruns

On Mon, May 3, 2010 at 7:50 AM, Richard Bejtlich <taosecurity@xxxxxxxxx> wrote:
On Sun, May 2, 2010 at 9:21 PM, Jeff Bruns <jeff.bruns@xxxxxxxxx> wrote:
> Greetings-
> I've been using Wireshark to analyze network traffic that's being parsed by
> a network sniffing perl application. My recent problem is that I've
> discovered 2 incoming messages, occuring within nanoseconds of each other. I
> suspect that my network sniffer is trying to reassemble some or all of the
> packets of both messages into a single message. Obviously the packets from
> both of these transmissions adhere to one of two sequence number schemes,
> depending on which message they belong to.
>

Hello,

Do you mean to say you have two TCP segments, such that

Msg 1: Src IP A Src Port B -> Dst IP C Dst Port D

and

Msg 2: Src IP A Src Port B -> Dst IP C Dst Port D

?

In other words, you expect your application to differentiate between
segments based on sequence number alone?

Sincerely,

Richard