This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

ip of machine where wireshark is running

0

Hi Friends, Can we find out ip add./mac-add of capture device by looking at capture file.Sometimes vendor provides us capture file and by looking into it , is there a way we can find out on which ip/mac that capture was taken.

asked 20 May '13, 03:59

kishan%20pandey's gravatar image

kishan pandey
221282936
accept rate: 28%

2 Answers:

2

Can we find out ip add./mac-add of capture device by looking at capture file.

usually no, if the capture was done in the right way. Reason: Network capturing should be a passive process and the capture machine will not leave any information about itself in the capture file, with these exemptions.

  • your capturing device sends some traffic into the network (DNS looks, broadcasts, etc.) on the same interface you captured the traffic. However, there is no reliable way to distinct this traffic from traffic on the network. It could be a relation between the IP addresses in the capture file and the DNS reequests. It could be something with the checksums (IP, TCP), or anything else. But none of that is really reliable.
  • your capturing device added some information about it's capturing interface into a pcapng option block. See Statistics -> Comments Summary for a first idea.

Regards
Kurt

answered 20 May '13, 06:23

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Agree with you,Thanks for replying.

(20 May '13, 08:35) kishan pandey

4

As Kurt said, there is no guaranteed way to determine this, but here are a couple of things you can try:

  1. Look for frames smaller than 60 bytes. The minimum Ethernet frame size is 64 bytes. If a frame is smaller than this, then padding bytes will be added to bring it up to 64 bytes. When Wireshark sees an outgoing frame, the four-byte frame check sequence hasn't been added yet, and when Wireshark sees an incoming frame, the frame check sequence has already been stripped off, (at least on the Windows systems that I'm familiar with; some systems may pass the frame check sequence to Wireshark). So the smallest Ethernet frame that Wireshark should see is 60 bytes. If you see a frame smaller than 60 bytes, then it was below the minimum Ethernet frame size and the padding had not yet been added when Wireshark saw the frame, so the system that transmitted that frame is where the packets were captured.
  2. Turn on IP, TCP, and UDP checksum validation and look for packets with bad checksums. Most modern NICs do checksum offloading, which means that the checksum is calculated and applied by the NIC after Wireshark sees an outgoing frame. If you see bad checksums only on packets transmitted by one host, then that is probably the host where the data was captured. The checksums are good when the frames are transmitted on the wire. If the checksums were actually bad, then the packets with bad checksums would have been retransmitted or the communication would fail.

answered 20 May '13, 09:12

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

edited 20 May '13, 10:04

Brilliant,it worked sir!grand salute sir.

(20 May '13, 09:34) kishan pandey