Wireshark-users: Re: [Wireshark-users] Track a packet in source & destination end sniffer capture
From: Sake Blok <sake@xxxxxxxxxx>
Date: Thu, 1 Sep 2011 11:45:40 +0200
On 1 sep 2011, at 11:14, samarjit das wrote:

> I have taken sniffer capture at both ends(source & destination) of communication but how can I track a single packet at both sides of capture. Is there any unique #  tagged into the packet from which it can be identified that this is the packet reaching the destination side capture which was sent by source.

That depends on the devices that are in the path. Is there NAT being done or loadbalancing or maybe a firewall with some sanitization?

Things you might be able to match packets by:

- src-ip,dst-ip,tcp-srcport,tcp-dstport,tcp-sequence tuple (of course a quick search on the tcp sequence number also works most of the times)
- src-ip,dst-ip,ip-id tuple (a search on ip-id will also work, but might give you quite a few false positives as it is a 16-bit value)
- Some part of the payload data maybe good to search for

The right-click option "copy as filter" comes in handy in these cases, combined with "Find packet (the display filter option)"

Good luck,
Cheers,

Sake