Re: Multiple Comma Delimited IPs in ip.src field

[Jeff Morriss <jeff.morriss.ws () gmail com>]

On Fri, Jul 22, 2016 at 9:33 AM, tficarra <tim.ficarra () mzeal com> wrote:

> Hi,
>
> When running tshark, I occasionally see instances where fields contain
> comma delimited lists of values. For example, an ip.src field delimited
> by pipe may contain two ips: 192.168.1.1,8.8.8.8. I am not sure how to
> interpret this output.
>
> I am running tshark as follows:
>
> sudo tshark -i eth0 -l -E separator='|' -T fields -e frame.time_epoch -e
> ip.src -e ip.dst -e udp.srcport -e udp.dstport -e tcp.srcport -e
> tcp.dstport -e dns.flags.response -e dns.qry.name -e dns.flags.rcode -e
> ip.proto -e dns.resp.addr -e frame.time_delta_displayed -e ip.len -e
> tcp.flags -e eth.src -e eth.dst -e frame.len -e http.request -e
> http.response
>
>
> In some instances I receive output akin to the following:
>
> 1469188329.151229000|192.168.1.113,8.8.8.6|8.8.8.6,192.168.1.113|53|
> 39389|||1|daisy.ubuntu.com|0|1,17|162.213.33.133,162.213.33.164|
> 0.000249000|122,94||00:25:90:df:ff:52|ec:bd:1d:2d:bc:77|136

You're probably capturing some frames that have 2 IP sources in
them--usually because you've got IP-in-IP somehow.

The most common example of this would be an ICMP response where you'll have
the IP source of the node sending the ICMP as well as the IP source of the
encapsulated IP packet (the one that couldn't, for example, be delivered).
But you'll get the same behavior with any number of tunneling protocols.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe