This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark WCCP interpretation

0

Hi Wireshark-er,

This topic is not about the bug or question, is the interpretation is a bit confusing for WCCP;

From my view it should display IP.address before encap with WCCP GRE tunnel but wireshark 2.2.4 display the source of the original host

alt text

asked 23 Feb '17, 02:18

limvuihan's gravatar image

limvuihan
6224
accept rate: 0%

One Answer:

1

When analyzing encapsulated traffic, it can be useful to add extra IP source and destination columns to display both the outer and the encapsulated source and destination IP addresses. How?

Here's an example for adding the outer source IPv4 address: Navigate to Edit -> Preferences ->Columns, then click Add. For the "Field type", choose Custom and then enter ip.src for the "Field name", but (and this is the important part) change the "Field occurrence" value from 0 to 1, which will cause only the first occurrence of the field to be displayed. Rename the title from "New Column" to something more useful, such as "OuterSrcIP" and drag it into your desired column position.

Repeat for ip.dst.

answered 23 Feb '17, 07:18

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

Hi cmaynard,

Thanks for the guide it work perfectly

alt text

(23 Feb '17, 19:04) limvuihan