Re: Machine on which wireshark capturing has been done

[Guy Harris <guy () alum mit edu>]

On Aug 21, 2014, at 1:30 AM, Vishnu Bhatt <vishnu.bhatt () aricent com> wrote:

> Hello,
>  
> I have a pcap file and I want to know on which machine is the file has been captured.
> Is there a way to know the Mac or IP address of the machine/switch on which the file has been taken?

Not reliably; the pcap file format:

        http://www.tcpdump.org/manpages/pcap-savefile.5.html

does not include any information to identify the machine on which the file has been captured.

You *might* be able to infer it by looking for, for example, packets less than 60 bytes in an Ethernet capture, as 
those are probably outgoing packets, in which case the source MAC address will be the MAC address of the interface on 
which the packet was sent out.  There's no guarantee that this will work, however.

For a pcap-ng file:

        http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html

the Section Header Block might give some information about the machine on which the packet capture was done, and the 
Interface Description Blocks (possibly plural!) might give the IP and/or MAC addresses of the interfaces on which the 
capture was done, but those are all options and are not guaranteed to be in the capture file, so you might have to rely 
on hacks such as the one I described above for pcap files.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe