This is a static archive of our old Q&A Site. Please post any new questions and answers at

I have a pcap file and I’m trying to find out the client system?


Hello, I have a pcap file and I'm trying to figure out a way to determine the operating system used by the client system? I think from the data it is a Dell machine running a Microsoft operation system but I'm not sure which(2000,XP, Vista, Window 7, etc).

Also, how do I determine the client’s IP address and MAC address?

asked 29 Jan '11, 09:57

gamer5k's gravatar image

accept rate: 0%

2 Answers:


Try to find an HTTP request if you can, those usually have OS information fields in their headers like this:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

This one would be from a Windows XP machine, because "Windows NT 5.1" is Windows XP, while "5.0" would be Windows 2000, "6.0" is Vista, "6.1" is Windows 7.

Regarding client IP and MAC: this might be a bit more difficult to determine depending on where the capture was taken - you might not be able to see the MAC address at all if it hidden behind a router. Usually the client is the one where the connection is established from, so look for which machine has the most SYN packets send out by filtering on tcp.flags=0x02 and then looking at Statistics/Conversations/TCP. One of them might be the client you're looking for, often the one with the most connections.

answered 30 Jan '11, 05:34

Jasper's gravatar image

Jasper ♦♦
accept rate: 18%

Hello, i did this and now i have 1820 TCP connections. How can i filter these?

Or should i open them one for one and examine?

(01 Jan '14, 23:20) kweerd63


Try to find a smb session setup request, use filter: smb.cmd == 0x73
In the smb session request you'll find the field Native OS: smb.native_os
more details found on msdn Session Setup andX, Client Details
This only valid with smb/cifs

answered 01 Feb '11, 07:28

melsvizzer's gravatar image

accept rate: 0%

Thank you Melsvizzer. You save my time :)

(07 Apr '16, 03:26) ho minh dat