Wireshark-users: Re: [Wireshark-users] local IPs from pcap file
From: Chris Maynard <Chris.Maynard@xxxxxxxxx>
Date: Fri, 28 May 2010 19:12:23 +0000 (UTC)
Andrej van der Zee <andrejvanderzee@...> writes:

> I was wondering if there is any way to deduct the local IPs from
> TCP/IP packets in pcap files?

Another possible way to deduce the IP address of the local machine is if you
look for packets with a frame size less than then link layer minimum size, i.e.,
for Ethernet, "frame.len < 60".

For example, if you browse to a website, you might see some TCP ACK's with a
frame length of 54 bytes, but this is because Wireshark is capturing the packet
before the Ethernet padding is added.  TCP ACK's coming from the other direction
would be 60 bytes.  In reality they are both 60 bytes on the wire.  (All this
assumes a default IP header size of 20 bytes, of course.)

Note that this technique works for other protocols too.  Take for example, ICMP.
 If you send an ICMP echo request (ping) from host A to host B with a size of 1
byte over an Ethernet interface, and you are capturing with Wireshark on host A,
Wireshark will tell you the frame size of the ICMP echo request is 43 bytes, but
the ICMP echo reply will be 60 bytes.  This is one way to artificially "inject"
some knowledge into the capture file as to which host was capturing the packets
at the time the capture was taken.

- Chris