On Wednesday 27 August 2008 11:52:18 Christoph Biedl wrote: > Package: wireshark > Version: 1.0.2-3 > Severity: normal > > "TCP Port numbers reused" happens every now and then, especially if > the capture is run over a longer time and the client OS does not use a > wide range of local ports. > > Now I noticed that at least for HTTP the extremely useful "Follow TCP > stream" function ignores all data in the second TCP stream. This > hides potentially interesting data.
I'd expect this as behavior as this are indeed 2 unrelated TCP streams that just happen to use the same ports "by accident". The operation is called "Follow TCP stream" not "Follow TCP streams" ;-) Joost > How to repeat > ------------- > > Use the following Perl script that does two HTTP GET request using the > same local port number. Insert a web server in the $host variable, > and capture the traffic. > > ----------------------------------------------------------- > #!/usr/bin/perl -w > > use IO::Socket; > > use strict; > > my $host = 'a.web.server'; > > for my $i (1..2) { > my $sock = new IO::Socket::INET ( > PeerAddr => $host, > PeerPort => 80, > Proto => 'tcp', > LocalPort => 9999, > ReuseAddr => 1, > ) || die ("Cannot create socket: $!.\n"); > > print $sock > "GET / HTTP/1.0\r\n" . > "Host: $host\r\n" . > "X-Round: $i\r\n" . > "\r\n"; > while (defined (my $line = <$sock>)) { > ; > } > undef $sock; > last if ($i == 2); > sleep (1); > } > exit 0; > ----------------------------------------------------------- > > Open the capture file in wireshark and select "Follow TCP stream". > > Expected behaviour: wireshark shows both request/response pairs. > > Seen behaviour: wireshark always only shows the first pair, identified > by the "X-Round: 1" header. Selecting a packet of the second pair > before doing the "Follow TCP stream" does not help. > > -- System Information: > Debian Release: lenny/sid > APT prefers testing > APT policy: (500, 'testing') > Architecture: amd64 (x86_64) > > Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/bash > > Versions of packages wireshark depends on: > ii libadns1 1.4-0.1 Asynchronous-capable DNS > client li ii libatk1.0-0 1.22.0-1 The ATK > accessibility toolkit ii libc6 2.7-13 GNU C > Library: Shared libraries ii libcairo2 1.6.4-6 The > Cairo 2D vector graphics libra ii libcomerr2 1.41.0-3 > common error description library ii libgcrypt11 1.4.1-1 > LGPL Crypto library - runtime libr ii libglib2.0-0 2.16.4-2 > The GLib library of C routines ii libgnutls26 2.4.1-1 > the GNU TLS library - runtime libr ii libgtk2.0-0 > 2.12.11-3 The GTK+ graphical user interface ii libkrb53 > 1.6.dfsg.4~beta1-3 MIT Kerberos runtime libraries ii libpango1.0-0 > 1.20.5-1 Layout and rendering of internatio ii libpcap0.8 > 0.9.8-5 system interface for user-level pa ii libpcre3 > 7.6-2.1 Perl 5 Compatible Regular Expressi ii > libportaudio2 19+svn20071022-2 Portable audio I/O - shared librar > ii wireshark-common 1.0.2-3 network traffic analyser > (common f ii zlib1g 1:1.2.3.3.dfsg-12 compression library > - runtime > > Versions of packages wireshark recommends: > ii gksu 2.0.0-5 graphical frontend to su > > wireshark suggests no packages. > > -- no debconf information -- homepage: http://damad.be/joost photo/blog: http://damad.be/joost/blog -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]