Wireshark
the world's foremost network protocol analyzer
Wireshark-users: Re: [Wireshark-users] find local IP from cap-file
From: Andrej van der Zee <andrejvanderzee@xxxxxxxxx>
Date: Wed, 5 Aug 2009 18:49:53 +0900
Dear Sake,
Thanks for your reply.
If I understand correctly, the tracefile is made on a system with
multiple interfaces and the traffic to and from this system is captured
(so no port mirroring is used to capture data from other systems).
Yes that is right.
This would mean that every *unicast* packet must be to or from a local
interface. If you do some statistics on the src and dst mac-addresses
you will be able to tell which mac-addresses are always present. You can
then check which IP addresses are used for these mac-addresses.
I wrote a small pcap application that does this directly on the src and dst IP addresses. The problem is that packages are send in both directions, so I can't tell wich is the local IP that was used for sniffing. I am not sure if doing this on the mac-address level, and then mapping the mac to the IP, is going to help. Is it?
Thank you,
Andrej
- References:
- [Wireshark-users] find local IP from cap-file
- From: Andrej van der Zee
- Re: [Wireshark-users] find local IP from cap-file
- From: Sake Blok
- [Wireshark-users] find local IP from cap-file
- Prev by Date: Re: [Wireshark-users] find local IP from cap-file
- Next by Date: Re: [Wireshark-users] Value too large for defined data type
- Previous by thread: Re: [Wireshark-users] find local IP from cap-file
- Next by thread: Re: [Wireshark-users] find local IP from cap-file
- Index(es):