tcpiptcpdump

How to identify what packet belongs to what TCP connection in tcpdump

I have a sample tcp dump. How do I identify which packets belongs to which TCP connection. I know in this case there are two connections (between the same source and destination), well separated by time, but how would one identify when we can't distinguish based on time. I read somewhere I can use the tcp.stream value to identify packets of the same connection, but I can't seem to get it printed. Maybe I am missing some tcpdump filter.

usc430tb@client:~$ sudo tcpdump -nn -i eth1 tcp and host server 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
04:19:30.105947 IP 1.1.2.3.37572 > 5.6.7.8.80: Flags [S], seq 3941923648, win 64240, options [mss 1460,sackOK,TS val 4040159679 ecr 0,nop,wscale 7], length 0
04:19:30.106238 IP 5.6.7.8.80 > 1.1.2.3.37572: Flags [S.], seq 3066551855, ack 3941923649, win 65160, options [mss 1460,sackOK,TS val 343847781 ecr 4040159679,nop,wscale 7], length 0
04:19:30.106299 IP 1.1.2.3.37572 > 5.6.7.8.80: Flags [.], ack 1, win 502, options [nop,nop,TS val 4040159679 ecr 343847781], length 0
04:19:30.106475 IP 1.1.2.3.37572 > 5.6.7.8.80: Flags [P.], seq 1:71, ack 1, win 502, options [nop,nop,TS val 4040159679 ecr 343847781], length 70: HTTP: GET / HTTP/1.1
04:19:30.106735 IP 5.6.7.8.80 > 1.1.2.3.37572: Flags [.], ack 71, win 509, options [nop,nop,TS val 343847781 ecr 4040159679], length 0
04:19:30.107237 IP 5.6.7.8.80 > 1.1.2.3.37572: Flags [.], seq 1:2897, ack 71, win 509, options [nop,nop,TS val 343847782 ecr 4040159679], length 2896: HTTP: HTTP/1.1 200 OK
04:19:30.107251 IP 1.1.2.3.37572 > 5.6.7.8.80: Flags [.], ack 2897, win 496, options [nop,nop,TS val 4040159680 ecr 343847782], length 0
04:19:30.107287 IP 5.6.7.8.80 > 1.1.2.3.37572: Flags [.], seq 2897:5793, ack 71, win 509, options [nop,nop,TS val 343847782 ecr 4040159679], length 2896: HTTP
04:19:30.107303 IP 1.1.2.3.37572 > 5.6.7.8.80: Flags [.], ack 5793, win 481, options [nop,nop,TS val 4040159680 ecr 343847782], length 0
04:19:30.107338 IP 5.6.7.8.80 > 1.1.2.3.37572: Flags [P.], seq 5793:11174, ack 71, win 509, options [nop,nop,TS val 343847782 ecr 4040159679], length 5381: HTTP
04:19:30.107352 IP 1.1.2.3.37572 > 5.6.7.8.80: Flags [.], ack 11174, win 481, options [nop,nop,TS val 4040159680 ecr 343847782], length 0
04:19:30.108948 IP 1.1.2.3.37572 > 5.6.7.8.80: Flags [F.], seq 71, ack 11174, win 501, options [nop,nop,TS val 4040159682 ecr 343847782], length 0
04:19:30.109436 IP 5.6.7.8.80 > 1.1.2.3.37572: Flags [F.], seq 11174, ack 72, win 509, options [nop,nop,TS val 343847784 ecr 4040159682], length 0
04:19:30.109467 IP 1.1.2.3.37572 > 5.6.7.8.80: Flags [.], ack 11175, win 501, options [nop,nop,TS val 4040159682 ecr 343847784], length 0
04:22:36.733297 IP 1.1.2.3.37574 > 5.6.7.8.80: Flags [S], seq 3284054345, win 64240, options [mss 1460,sackOK,TS val 4040346308 ecr 0,nop,wscale 7], length 0
04:22:36.733604 IP 5.6.7.8.80 > 1.1.2.3.37574: Flags [S.], seq 4201800729, ack 3284054346, win 65160, options [mss 1460,sackOK,TS val 344034404 ecr 4040346308,nop,wscale 7], length 0
04:22:36.733672 IP 1.1.2.3.37574 > 5.6.7.8.80: Flags [.], ack 1, win 502, options [nop,nop,TS val 4040346308 ecr 344034404], length 0
04:22:36.733913 IP 1.1.2.3.37574 > 5.6.7.8.80: Flags [P.], seq 1:71, ack 1, win 502, options [nop,nop,TS val 4040346309 ecr 344034404], length 70: HTTP: GET / HTTP/1.1
04:22:36.734149 IP 5.6.7.8.80 > 1.1.2.3.37574: Flags [.], ack 71, win 509, options [nop,nop,TS val 344034405 ecr 4040346309], length 0
04:22:36.734653 IP 5.6.7.8.80 > 1.1.2.3.37574: Flags [.], seq 1:2897, ack 71, win 509, options [nop,nop,TS val 344034406 ecr 4040346309], length 2896: HTTP: HTTP/1.1 200 OK
04:22:36.734671 IP 1.1.2.3.37574 > 5.6.7.8.80: Flags [.], ack 2897, win 496, options [nop,nop,TS val 4040346309 ecr 344034406], length 0
04:22:36.734701 IP 5.6.7.8.80 > 1.1.2.3.37574: Flags [.], seq 2897:5793, ack 71, win 509, options [nop,nop,TS val 344034406 ecr 4040346309], length 2896: HTTP
04:22:36.734717 IP 1.1.2.3.37574 > 5.6.7.8.80: Flags [.], ack 5793, win 481, options [nop,nop,TS val 4040346309 ecr 344034406], length 0
04:22:36.734752 IP 5.6.7.8.80 > 1.1.2.3.37574: Flags [P.], seq 5793:11174, ack 71, win 509, options [nop,nop,TS val 344034406 ecr 4040346309], length 5381: HTTP
04:22:36.734765 IP 1.1.2.3.37574 > 5.6.7.8.80: Flags [.], ack 11174, win 451, options [nop,nop,TS val 4040346309 ecr 344034406], length 0
04:22:36.739626 IP 1.1.2.3.37574 > 5.6.7.8.80: Flags [F.], seq 71, ack 11174, win 501, options [nop,nop,TS val 4040346314 ecr 344034406], length 0
04:22:36.740045 IP 5.6.7.8.80 > 1.1.2.3.37574: Flags [F.], seq 11174, ack 72, win 509, options [nop,nop,TS val 344034411 ecr 4040346314], length 0
04:22:36.740074 IP 1.1.2.3.37574 > 5.6.7.8.80: Flags [.], ack 11175, win 501, options [nop,nop,TS val 4040346315 ecr 344034411], length 0
Solution

  • Every TCP/IP connection is uniquely identified by set (src-ip-addr; src-port; dest-ip-addr; dest-port) at any given time. In your example, those connections are (1.1.2.3; 37574; 5.6.7.8; 80) and (1.1.2.3; 37572; 5.6.7.8; 80). Those two differ by src-port - 37574 x 37572.

    If I read man page - examples correctly, you can filter 37574 port using tcpdump ... port 37574

    Edit: Addressing a follow-up question (Can src port repeat over time):

    The ports can for sure repeat over time. A reliable way of detecting that is looking just for SYN packets (in the dump ... Flags [S] ..., as this is how a new TCP connection is established. From the very same man page, I can recommend tcpdump ... 'tcp[tcpflags] & (tcp-syn) != 0'

    For a better understanding of TCP states, see TCP state diagram on Wikipedia or search for TCP state machine on the internet.