If
there is a syn bit set seen from an endpoint, this is the
source. I am curious about if wireshark defines in some other
ways or only the syn bit is enough to identify the source and
destination? Secondly,
if
my traces has are partial conversations, not any syn bit is
seen, which one is the source and destination? port numbers
can be used to determine them but what if both port numbers
makes sense. server uses 80 and the client uses a port number
let say something more than 1024 but it's also possible for
servers to give services from that port number as a kind of
database queries.
Thanks