Re: deduct local IPs from pcap-files, possible?

[Arien Vijn <arien.vijn () ams-ix net>]

Hi Andrej,

On 20 May 2010, at 04:05, Andrej van der Zee wrote:

> Hi,
>
> Sorry for asking again, but I got no useful answer last time. Hopefully more
> luck this time...
>
> I receive many pcap-files from our clients. Now I am constructing an
> algorithm using libpcap that deducts time differences between the servers by
> matching packets on both ends of the connection and comparing timestamps
> (neglecting latencies). Every server produces one pcap-file that listens to
> all interfaces of the local machine. I found a way to calculate the time
> differences between the IPs, but I cannot tell if a particular server is
> ahead or behind in time. To be able to do this, I need to deduct the local
> IPs that belong to the server that produced the pcap-file. The "problem" is
> that on a particular server all incoming and outgoing packets are sniffed,
> hence the local IPs will appear as "src" and "dst" in the IP-packets. I am
> looking for a way to deduct the local IPs anyway, but need a push in the
> right direction (if it is possible at all).

I guess you can look at the MAC addresses. The MAC address that is in all frames is the address of the NIC from which 
that file was generated. The corresponding IP address(es) is/are the IP address(es) of that server. If you are sure 
that all NICs have only one IP address configured and no addresses can be spoofed, then you can do the same for IP 
addresses. 

Perhaps you don't need to parse all frames, it might be enough to even parse frames until you have a frame with the 
same source and a destination address.

If the servers communicates with one other MAC/IP address, then the method above won't work.

At any rate, there is no header that contains the local address. Hence you have to resort to heuristics.

-- Arien


-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.