On 26 mei 2010, at 08:06, Andrej van der Zee wrote:
> I was wondering if there is any way to deduct the local IPs from
> TCP/IP packets in pcap files? IP packets contain src and dst fields,
> but as far as I can see it is impossible to know which IP is bound to
> the host where the pcap file is generated.
If the host that was capturing has:
1) TCP checksum offloading *and*
2) Was sending TCP packets during the capture
Then all outgoing packets from that host will have a bad TCP checksum (because the packets were captured before the NIC could change the checksum value to the proper value).
Cheers,
Sake