Hello All, The traffic captured is Ethernet/IP/IP It is basically a IP in IP packets. But when I viewed the captured file, I observed the Inner IP displayed in the Upper Pane of the Wireshark capture screen. I think this is a bug ... It should display outer Ip because that is important than inner IP. Please let us know if there is a way to view the packets based on outer IP. Thanks, asked 20 Nov '12, 22:26  RajaSekhar |
3 Answers:
This is not a bug. Someone else might feel the inner IP addresses are more important and thus say (wire|t)shark does a better job out-of-the-box. With (wire|t)shark you do get the possibility to view the outer IP addresses by changing adding two more columns with a custom field pointing to "ip.src" and "ip.dst" and selecting occurrence "1". Changing the columns in Wireshark will also change the displayed columns in Tshark. If Wireshark is not available on your system, you can edit wiresharks preferences file by hand to include the following line in the "gui.column.format:" preference: answered 27 Nov '12, 11:48  SYN-bit ♦♦ |
Who says it's more important than the inner IP? Anyway, Wireshark always shows the inner most of a protocol layer in the packet overview pane, apart from error packet contents. Stacked protocol presentation/filter isn't one of Wiresharks' strong points. answered 20 Nov '12, 23:30  Jaap ♦ |
Yup outer IP is nothing but external Ip that you asking for.. You can get external/WAN ip address from answered 13 Jun '13, 04:52  frozengal edited 13 Jun '13, 23:21 |
Hi, I am experiencing the same problem with tshark - tunneled packets display the inner IP-header, not the outer one. Seems that tcpdump does this better - no graphics, though. Regards, willi