Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Multiple Comma Delimited IPs in ip.src field

From: Christopher Maynard <Christopher.Maynard () igt com>
Date: Tue, 26 Jul 2016 15:21:30 +0000 (UTC)
Jeff Morriss <jeff.morriss.ws@...> writes:


On Fri, Jul 22, 2016 at 9:33 AM, tficarra

<tim.ficarra-oYYqNANdrXYAvxtiuMwx3w () public gmane org> wrote:Hi,

When running tshark, I occasionally see instances where fields contain
comma delimited lists of values. For example, an ip.src field delimited
by pipe may contain two ips: 192.168.1.1,8.8.8.8. I am not sure how to
interpret this output.
I am running tshark as follows:
sudo tshark -i eth0 -l -E separator='|' -T fields -e frame.time_epoch -e
ip.src -e ip.dst -e udp.srcport -e udp.dstport -e tcp.srcport -e
tcp.dstport -e dns.flags.response -e dns.qry.name -e dns.flags.rcode -e
ip.proto -e dns.resp.addr -e frame.time_delta_displayed -e ip.len -e
tcp.flags -e eth.src -e eth.dst -e frame.len -e http.request -e
http.response
In some instances I receive output akin to the following:
1469188329.151229000|192.168.1.113,8.8.8.6|8.8.8.6,192.168.1.113|53|
39389|||1|daisy.ubuntu.com|0|1,17|162.213.33.133,162.213.33.164|
0.000249000|122,94||00:25:90:df:ff:52|ec:bd:1d:2d:bc:77|136


You're probably capturing some frames that have 2 IP sources in

them--usually because you've got IP-in-IP somehow.The most common example of
this would be an ICMP response where you'll have the IP source of the node
sending the ICMP as well as the IP source of the encapsulated IP packet (the
one that couldn't, for example, be delivered).  But you'll get the same
behavior with any number of tunneling protocols.

Note that you can control (to some degree) which occurrence of a particular
field you want to see.  This is accomplished using "-E occurrence=f|l|a". 
So, if you only want the first occurrence, use "-E occurrence=f".

- Chris


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: