tcpdump mailing list archives
Re: deduct local IP address from cap-file
From: Guy Harris <guy () alum mit edu>
Date: Fri, 30 Apr 2010 14:38:59 -0700
On Apr 30, 2010, at 12:14 AM, Andrej van der Zee wrote:
Is it by any means possible to deduct the local IP address from a cap-file? With local I mean the IP address that is physically bound to the machine where tcpdump is ran.
If you mean "deduce" - i.e., given a capture file, determine what IP addresses (possibly plural!) the machine where tcpdump was run has, or what IP addresses (again, possibly plural) the interface on which the capture was done has - no, that's not possible unless you can, somehow, determine which packets were sent by, or received by, that host normally (rather than as a result of the interface being in promiscuous mode) and, if they're IP packets: if they're sent by that host, see what the source address is; if they're received by that host, and the destination address isn't a broadcast or multicast address, see what the destination address is; but I don't know any general way of doing that. pcap-ng format *supports* putting the IP address information into the file, but 1) tcpdump currently doesn't support writing pcap-ng files (libpcap 1.1.x, and thus any version of tcpdump using libpcap 1.1.x, supports *reading* pcap-ng files to a limited degree, but doesn't support *writing* them); 2) even if a program does support writing them (e.g., Wireshark), there's no guarantee that the Interface Description Blocks it writes actually have IP address information (it's optional).- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- deduct local IP address from cap-file Andrej van der Zee (Apr 30)
- Re: deduct local IP address from cap-file Guy Harris (Apr 30)
- Re: deduct local IP address from cap-file Gert Doering (May 03)
- Re: deduct local IP address from cap-file Guy Harris (Apr 30)