Wireshark · Ethereal-dev: Re: [Ethereal-dev] Re: Conversation list -> incorrect TCP connectiondirection

["Ronnie Sahlberg" <ronnie_sahlberg@xxxxxxxxxxxxxx>]

No,

In TCP conversation we do not always know who initiates the tcp session
so we cant rely on that.

It essentially picks EP1 as the enpoint with the largest port number.
And if the source/dest ports are equal, it will compare the ip addresses.

Since clients very often pick a random port with a high value
and since servers listening on a well known port usually picks a very small
port number
this means the probability is reasonably high that we get the Client as EP1
adn the server as EP2

This works for UDP as well.


Other protocols have similar "algorithms" for deciding what is EP1 and what
is EP2.


----- Original Message ----- 
From: "Jean-Baptiste Marchand"
Sent: Sunday, April 18, 2004 7:53 AM
Subject: [Ethereal-dev] Re: Conversation list -> incorrect TCP
connectiondirection


> * Jean-Baptiste Marchand
>
> > I though that in the TCP conversation, EP1 was supposed to represent the
> > source address and EP2 the destination address (i.e, EP1 is the host
> > that connects to EP2) but in the attached capture, that's not the case?
>
> Well, I think I've understood why...
>
> It seems that we decide to name EP1 the host that sends more bytes and
> EP2, the host that receives less bytes.
>
> I suppose I need to understand the difference between a TCP connection
> and a TCP conversation :)
>
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev