Re: deduct local IP address from cap-file

[Guy Harris <guy () alum mit edu>]

On Apr 30, 2010, at 12:14 AM, Andrej van der Zee wrote:

> Is it by any means possible to deduct the local IP address from a
> cap-file? With local I mean the IP address that is physically bound to
> the machine where tcpdump is ran.

If you mean "deduce" - i.e., given a capture file, determine what IP addresses (possibly plural!) the machine where 
tcpdump was run has, or what IP addresses (again, possibly plural) the interface on which the capture was done has - 
no, that's not possible unless you can, somehow, determine which packets were sent by, or received by, that host 
normally (rather than as a result of the interface being in promiscuous mode) and, if they're IP packets:

        if they're sent by that host, see what the source address is;

        if they're received by that host, and the destination address isn't a broadcast or multicast address, see what 
the destination address is;

but I don't know any general way of doing that.

pcap-ng format *supports* putting the IP address information into the file, but

        1) tcpdump currently doesn't support writing pcap-ng files (libpcap 1.1.x, and thus any version of tcpdump 
using libpcap 1.1.x, supports *reading* pcap-ng files to a limited degree, but doesn't support *writing* them);

        2) even if a program does support writing them (e.g., Wireshark), there's no guarantee that the Interface 
Description Blocks it writes actually have IP address information (it's optional).-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.