Wireshark-users: Re: [Wireshark-users] Track a packet in source & destination end sniffer capture

From: samarjit das <samar.jeet82@xxxxxxxxx>
Date: Thu, 1 Sep 2011 15:34:00 +0530
Hi
 
No NAT being done, neither loadbalancing&firewall in the path.


 
On Thu, Sep 1, 2011 at 3:15 PM, Sake Blok <sake@xxxxxxxxxx> wrote:
On 1 sep 2011, at 11:14, samarjit das wrote:

> I have taken sniffer capture at both ends(source & destination) of communication but how can I track a single packet at both sides of capture. Is there any unique #  tagged into the packet from which it can be identified that this is the packet reaching the destination side capture which was sent by source.

That depends on the devices that are in the path. Is there NAT being done or loadbalancing or maybe a firewall with some sanitization?

Things you might be able to match packets by:

- src-ip,dst-ip,tcp-srcport,tcp-dstport,tcp-sequence tuple (of course a quick search on the tcp sequence number also works most of the times)
- src-ip,dst-ip,ip-id tuple (a search on ip-id will also work, but might give you quite a few false positives as it is a 16-bit value)
- Some part of the payload data maybe good to search for

The right-click option "copy as filter" comes in handy in these cases, combined with "Find packet (the display filter option)"

Good luck,
Cheers,

Sake

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe