On Jan 24, 2011, at 8:18 PM, Berkay Celik wrote:
> Guy, thanks for the answer but i'm not satisfied. When you get the conversation list using the tshark, even if there are partial conversations (no Syn or 3-way handshake is not observed) commonly tshark gives the correct results,
What do you mean by "When you get the conversation list using the tshark"? Are you referring to "-z conv,tcp"? If so, then the only results you get involve the endpoints as IP address:port; TShark does *NOT* mark one endpoint as the source and another endpoint as the destination:
TCP Conversations
Filter:<No Filter>
| <- | | -> | | Total |
| Frames Bytes | | Frames Bytes | | Frames Bytes |
AAA.BBB.CCC.DDD:1355 <-> XXX.YYY.ZZZ.WWW:139 14 4332 15 6018 29 10350
AAA.BBB.CCC.DDD:1819 <-> MMM.NNN.OOO.PPP:80 12 13565 11 898 23 14463
AAA.BBB.CCC.DDD:1839 <-> EEE.FFF.GGG.HHH:80 7 5830 6 673 13 6503
(IP addresses obscured here, but that's the output from TShark). It has *NOT* identified AAA.BBB.CCC.DDD as the source and XXX.YYY.ZZZ.WWW as the destination in the first of those conversations; AAA.BBB.CCC.DDD happens to be the source address, and XXX.YYY.ZZZ.WWW happens to be the destination address of the first packet in that TCP connection in the capture, but there is *NO* guarantee that the first packet in the capture is going from the machine that initiated the connection. There are reasons why it's *likely* that it is, but it is not *guaranteed*.