Hi,
I am trying to trace a packet between two computers. I was wondering if it is possible to capture packets between two servers, start communication between the servers and then look for a specific packets on both ends. My question is how to find that specific packet. what kind of filter needs to be used?
I have tried to use tcp.seq filter but it does not return any results on the second computer.
Does anyone know of a filter that can be applied to find the exact same packet on both sides?
The tcp.seq is relative to each trace. It won’t be the same on both traces.
Try with ‘tcp.port==[portnumber]’
Each endpoint will use the same port during a specific TCP conversation.
For example, in the following trace, the TCP conversation is going from port 60080 from one endpoint to port 1080 on the other. If you employ the filter “tcp.port==60080” on both traces, you’ll find the same conversation between the 2 hosts on both traces.
No. Time Source Destination Protocol Length Info
50 3.640698 10.0.20.41 proxy TCP 68 60080→1080 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
51 3.640709 proxy 10.0.20.41 TCP 68 1080→60080 [SYN, ACK] Seq=0 Ack=1 Win=14600 Len=0 MSS=1460 SACK_PERM=1 WS=4
52 3.641044 10.0.20.41 proxy TCP 62 60080→1080 [ACK] Seq=1 Ack=1 Win=65536 Len=0
76 3.645226 10.0.20.41 proxy HTTP 273 CONNECT www.google.ca:443 HTTP/1.1
77 3.645236 proxy 10.0.20.41 TCP 56 1080→60080 [ACK] Seq=1 Ack=218 Win=14600 Len=0
92 3.656335 proxy 10.0.20.41 HTTP 95 HTTP/1.0 200 Connection established
94 3.657284 10.0.20.41 proxy TLSv1.2 573 Client Hello
98 3.666668 proxy 10.0.20.41 TLSv1.2 209 Server Hello, Change Cipher Spec, Hello Request, Hello Request
104 3.668500 10.0.20.41 proxy TLSv1.2 272 Change Cipher Spec, Hello Request, Hello Request, Hello Request, Hello Request
113 3.676960 proxy 10.0.20.41 TLSv1.2 154 Application Data, Application Data
142 3.880529 10.0.20.41 proxy TCP 62 60080→1080 [ACK] Seq=951 Ack=291 Win=65280 Len=0