Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: [Wireshark-users] How source and destination is identified in Wireshark?

From: Berkay Celik <argusflow@xxxxxxxxx>
Date: Mon, 24 Jan 2011 22:31:47 -0500

If there is a syn bit set seen from an endpoint, this is the source. I am curious about if wireshark defines in some other ways or only the syn bit is enough to identify the source and destination? Secondly,

if my traces has are partial conversations, not any syn bit is seen, which one is the source and destination? port numbers can be used to determine them but what if both port numbers makes sense. server uses 80 and the client uses a port number let say something more than 1024 but it's also possible for servers to give services from that port number as a kind of database queries.

Thanks