This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How does Wireshark store all the addresses of a deep tunnel?

0

Good day everyone.

Currently I'm interested in tunneling. For example I have a tunnel with the following protocols stack:alt text

And my question is how does wireshrk store all the addresses for each packet (in my example there are three IPv4-addresses)? I thought of packet_info structure, but there are only two fields:

address net_src;                  /**< network-layer source address */
address src;                      /**< source address (net if present, DL otherwise )*/

Thanks in advance.

asked 28 Apr '15, 06:46

ustas's gravatar image

ustas
11225
accept rate: 0%

One Answer:

2

Wireshark will keep the outermost IP addresses in the packet_info struct, as there are the real addresses for the particular packet at the network layer. These addresses are used in the source and destination column.

However, for each IP address encountered in an IP header, it will add a ip.src or ip.dst field to the dissection tree (as well as an ip.addr for both of them). So when using the display filter ip.src==10.0.0.1, it will be interpreted as "Display all packets for which there is at least one field with the name ip.src that has the value 10.0.0.1".

answered 29 Apr '15, 13:12

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%