Wireshark-users: Re: [Wireshark-users] local IPs from pcap file

From: Andrej van der Zee <andrejvanderzee@xxxxxxxxx>
Date: Wed, 26 May 2010 20:05:38 +0900
Hi Sake,

Thanks for your reply.

I am using pcap and loop through the packets. How can I check that all
outgoing packets from that host will have a bad TCP checksum?

And how common is it that the capturing has TCP checksum offloading? I
receive many pcap files from clients and have no way to find out.

Thanks,
Andrej


On Wed, May 26, 2010 at 4:53 PM, Sake Blok <sake@xxxxxxxxxx> wrote:
> On 26 mei 2010, at 08:06, Andrej van der Zee wrote:
>
>> I was wondering if there is any way to deduct the local IPs from
>> TCP/IP packets in pcap files? IP packets contain src and dst fields,
>> but as far as I can see it is impossible to know which IP is bound to
>> the host where the pcap file is generated.
>
> If the host that was capturing has:
>
> 1)  TCP checksum offloading   *and*
> 2)  Was sending TCP packets during the capture
>
> Then all outgoing packets from that host will have a bad TCP checksum (because the packets were captured before the NIC could change the checksum value to the proper value).
>
> Cheers,
>
>
> Sake
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>