deduct local IPs from pcap-files, possible?

[Andrej van der Zee <andrejvanderzee () gmail com>]

Hi,

Sorry for asking again, but I got no useful answer last time. Hopefully more
luck this time...

I receive many pcap-files from our clients. Now I am constructing an
algorithm using libpcap that deducts time differences between the servers by
matching packets on both ends of the connection and comparing timestamps
(neglecting latencies). Every server produces one pcap-file that listens to
all interfaces of the local machine. I found a way to calculate the time
differences between the IPs, but I cannot tell if a particular server is
ahead or behind in time. To be able to do this, I need to deduct the local
IPs that belong to the server that produced the pcap-file. The "problem" is
that on a particular server all incoming and outgoing packets are sniffed,
hence the local IPs will appear as "src" and "dst" in the IP-packets. I am
looking for a way to deduct the local IPs anyway, but need a push in the
right direction (if it is possible at all).

By the way, I am using libpcap and loop though all TCP and UDP packets.

Thank you,
Andrej
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.