Dear Sake,
Thanks for your reply.
If I understand correctly, the tracefile is made on a system with
multiple interfaces and the traffic to and from this system is captured
(so no port mirroring is used to capture data from other systems).
Yes that is right.
This would mean that every *unicast* packet must be to or from a local
interface. If you do some statistics on the src and dst mac-addresses
you will be able to tell which mac-addresses are always present. You can
then check which IP addresses are used for these mac-addresses.
I wrote a small pcap application that does this directly on the src and dst IP addresses. The problem is that packages are send in both directions, so I can't tell wich is the local IP that was used for sniffing. I am not sure if doing this on the mac-address level, and then mapping the mac to the IP, is going to help. Is it?
Thank you,
Andrej
