On Jan 28, 2011, at 5:38 PM, Andrew Hood wrote:
> This tends to fail on Windoze,
There's no guarantee that it will succeed, which is the ultimate point:
1) in the "show me the conversations" tap, Wireshark and TShark *DO NOT IDENTIFY THE SOURCE AND DESTINATION*, belief by anybody to the contrary nonwithstanding - it merely chooses which endpoint to put first, based on the guess Ronnie described, which may or may *correctly* guess which endpoint is the source, and may be more likely to incorrectly guess if the source is running Windows;
2) there *IS NO MAGIC WAY TO IDENTIFY THE "source" or "destination" OF A TCP CONNECTION AT THE TCP LAYER UNLESS YOU'VE SEEN THE INITIAL SYN OR THE RESPONDING SYN+ACK*;
so asking how Wireshark/TShark magically achieves this impossible goal, in order to determine how to achieve this impossible goal in other code, is a waste of time.