How to capture the NATed out-bound HTTP syn request and inbound HTTP responses in a 3-way handshake process; identify our public IP address and our device’s private IP address?
asked 19 Aug '14, 19:47
edited 19 Aug '14, 19:49
One way would be to trace on the inside and the outside interfaces of the firewall. If you can use one PC with two NICs that would be good because both traces will be timestamped by one clock and so pretty closely synchronized. If must use two PCs, try to manually sync the clocks on them as best you can. Capture the traces and the match the packets in each trace using the detsination Internet address (the server the PC is trying to talk to) and the TCP sequence numbers (usually the firewall NAT doesn't change these). Remember to switch off the TCP protocol preference "Relative Sequence Numbers" in Wireshark so that you get distinctive sequence numbers.
answered 20 Aug '14, 06:29