Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] ICMP packets with two pairs of source and destination ip a

From: nangergong <nangergong@xxxxxxxxx>
Date: Wed, 6 Jun 2012 14:33:23 +0200
if a packet is with a src ip A and a dst ip B while with a src ip B and a dst ip A, what is the real direction? from A to B or from B to A?
I get confused.

On Wed, Jun 6, 2012 at 12:25 PM, ronnie sahlberg <ronniesahlberg@xxxxxxxxx> wrote:
the ip layer appears twice in those packets.

First as IP layer sitting above ETHernet layer
Second as IP layer sitting above ICMP layer

Same thing happens when you tunnel ip over ip



On Wed, Jun 6, 2012 at 8:20 PM, nangergong <nangergong@xxxxxxxxx> wrote:
> HI, all,
>
>      I used tshark to parse a pcap file with icmp packets,
>                   tshark -r icmp -T fields -e frame.number -e ip.src -e
> ip.dst
>
>      and the results are something like this:
>
> 1    74.125.132.188    138.96.192.56
> 2    74.125.132.188    138.96.192.56
> 3    138.96.192.56,74.125.132.188    74.125.132.188,138.96.192.56
> 4    138.96.192.56,74.125.132.188    74.125.132.188,138.96.192.56
> 5    74.125.132.188    138.96.192.56
> 6    138.96.192.56,74.125.132.188    74.125.132.188,138.96.192.56
> 7    74.125.132.188    138.96.192.56
> 8    138.96.192.56,74.125.132.188    74.125.132.188,138.96.192.56
> 9    74.125.132.188    138.96.192.56
> 10    138.96.192.56,74.125.132.188    74.125.132.188,138.96.192.56
> 11    74.125.132.188    138.96.192.56
> 12    138.96.192.56,74.125.132.188    74.125.132.188,138.96.192.56
>
>
> so , like 3, 4, 6,8,10,12 , there are two src ip addr and dst ip addr
> what is the reason for this? thanks
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe