Wireshark mailing list archives
Re: local IPs from pcap file
From: Chris Maynard <Chris.Maynard () gtech com>
Date: Fri, 28 May 2010 19:12:23 +0000 (UTC)
Andrej van der Zee <andrejvanderzee@...> writes:
I was wondering if there is any way to deduct the local IPs from TCP/IP packets in pcap files?
Another possible way to deduce the IP address of the local machine is if you look for packets with a frame size less than then link layer minimum size, i.e., for Ethernet, "frame.len < 60". For example, if you browse to a website, you might see some TCP ACK's with a frame length of 54 bytes, but this is because Wireshark is capturing the packet before the Ethernet padding is added. TCP ACK's coming from the other direction would be 60 bytes. In reality they are both 60 bytes on the wire. (All this assumes a default IP header size of 20 bytes, of course.) Note that this technique works for other protocols too. Take for example, ICMP. If you send an ICMP echo request (ping) from host A to host B with a size of 1 byte over an Ethernet interface, and you are capturing with Wireshark on host A, Wireshark will tell you the frame size of the ICMP echo request is 43 bytes, but the ICMP echo reply will be 60 bytes. This is one way to artificially "inject" some knowledge into the capture file as to which host was capturing the packets at the time the capture was taken. - Chris ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- local IPs from pcap file Andrej van der Zee (May 25)
- Re: local IPs from pcap file Sake Blok (May 26)
- Re: local IPs from pcap file Andrej van der Zee (May 26)
- Re: local IPs from pcap file Sake Blok (May 26)
- Re: local IPs from pcap file Andrej van der Zee (May 26)
- Re: local IPs from pcap file Chris Maynard (May 28)
- Re: local IPs from pcap file Andrej van der Zee (May 30)
- Re: local IPs from pcap file Sake Blok (May 26)