Wireshark-users: Re: [Wireshark-users] find local IP from cap-file

From: Sake Blok <sake@xxxxxxxxxx>
Date: Wed, 5 Aug 2009 11:38:50 +0200

On Wed, Aug 05, 2009 at 04:29:46PM +0900, Andrej van der Zee wrote:
> 
>    I received huge cap-files that log multiple network-interfaces in both
>    directions (outgoing and incoming traffic). Unfortunately I have no
>    information about which IPs are bound to the sniffed network-interfaces.
>    Is there any way to retrieve this information from the cap-files? I know I
>    can convert it to text and look at the IPs, but still I cannot say which
>    local IP I was actually sniffing because network traffic is logged in both
>    directions.

If I understand correctly, the tracefile is made on a system with
multiple interfaces and the traffic to and from this system is captured
(so no port mirroring is used to capture data from other systems).

This would mean that every *unicast* packet must be to or from a local
interface. If you do some statistics on the src and dst mac-addresses
you will be able to tell which mac-addresses are always present. You can
then check which IP addresses are used for these mac-addresses.

Beware, if all traffic from this system is to non-directly attached
systems, you will see the mac of the router also in each packet, but
then you should see many different IP-addresses for that mac, so you
filter them out...

It's a bit of work, but it should work :-)

Cheers,
     Sake