This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How do i know where the capture extracted?

0

Given a capture how can i figure out where the trace is taken from(who is the originator of the flow) if the capture contains 3 packets (SYN,SYN/ACK and ACK)?

asked 06 May '14, 19:57

krishnayeddula's gravatar image

krishnayeddula
629354148
accept rate: 6%

edited 06 May '14, 19:58

"Where the trace is taken from?" and "Who is the originator of the flow?" are 2 entirely different questions. Which do you want to know? Or are you assuming that the trace is being taken from the originator? Which class is this question for, by the way?

(07 May '14, 07:13) cmaynard ♦♦

2 Answers:

1

To determine where the capture was taken you can use following clues

  • Look at the delta time betweem SYN and SYN_ACK
  • Compare it to the delta time between SYN_ACK and ACK
  • Look at the ip.ttl of SYN and SYN_ACK packet (even TTLS are 255,128,64)
  • Look at the manufacturer prefix of the MAC addresses
  • Look at the Statistics - Summary

The larger delta time has the external RTT of the connection indicating the sender of the packet is remote host (if there is a notable difference).

Most IP stacks have a hexadecimal 'even' TTL. Windows uses 128, most other stacks 64, some 255. So unless client and server are on the same LAN you should see an 'odd' TTL, this is a packet from the remote host.

MAC addresses give a clue as to what manufacturer the sender of an IP packet is

Statistics Summary contains general information about the capture

answered 06 May '14, 21:16

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%

edited 06 May '14, 21:19

0

See the answer to this question.

answered 07 May '14, 09:41

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%