Wireshark-users: Re: [Wireshark-users] local IPs from pcap file
From: Sake Blok <sake@xxxxxxxxxx>
Date: Wed, 26 May 2010 14:11:55 +0200
On 26 mei 2010, at 13:05, Andrej van der Zee wrote:
> On Wed, May 26, 2010 at 4:53 PM, Sake Blok <sake@xxxxxxxxxx> wrote:
>> On 26 mei 2010, at 08:06, Andrej van der Zee wrote:
>> 
>>> I was wondering if there is any way to deduct the local IPs from
>>> TCP/IP packets in pcap files? IP packets contain src and dst fields,
>>> but as far as I can see it is impossible to know which IP is bound to
>>> the host where the pcap file is generated.
>> 
>> If the host that was capturing has:
>> 
>> 1)  TCP checksum offloading   *and*
>> 2)  Was sending TCP packets during the capture
>> 
>> Then all outgoing packets from that host will have a bad TCP checksum (because the packets were captured before the NIC could change the checksum value to the proper value).
> 
> I am using pcap and loop through the packets. How can I check that all
> outgoing packets from that host will have a bad TCP checksum?

Make sure you have "Validate Checksum if possible" enabled in the TCP protocol preferences and then you can filter with "tcp.checksum_bad==1"

> And how common is it that the capturing has TCP checksum offloading? I
> receive many pcap files from clients and have no way to find out.

Most modern NICs support it and most drivers make use of it by default. So it is quite common...

(that's why "Validate Checksum if possible" is now *disabled* by default when you install wireshark)

Cheers,


Sake