the ip layer appears twice in those packets.
First as IP layer sitting above ETHernet layer
Second as IP layer sitting above ICMP layer
Same thing happens when you tunnel ip over ip
On Wed, Jun 6, 2012 at 8:20 PM, nangergong <nangergong@xxxxxxxxx> wrote:
> HI, all,
>
> I used tshark to parse a pcap file with icmp packets,
> tshark -r icmp -T fields -e frame.number -e ip.src -e
> ip.dst
>
> and the results are something like this:
>
> 1 74.125.132.188 138.96.192.56
> 2 74.125.132.188 138.96.192.56
> 3 138.96.192.56,74.125.132.188 74.125.132.188,138.96.192.56
> 4 138.96.192.56,74.125.132.188 74.125.132.188,138.96.192.56
> 5 74.125.132.188 138.96.192.56
> 6 138.96.192.56,74.125.132.188 74.125.132.188,138.96.192.56
> 7 74.125.132.188 138.96.192.56
> 8 138.96.192.56,74.125.132.188 74.125.132.188,138.96.192.56
> 9 74.125.132.188 138.96.192.56
> 10 138.96.192.56,74.125.132.188 74.125.132.188,138.96.192.56
> 11 74.125.132.188 138.96.192.56
> 12 138.96.192.56,74.125.132.188 74.125.132.188,138.96.192.56
>
>
> so , like 3, 4, 6,8,10,12 , there are two src ip addr and dst ip addr
> what is the reason for this? thanks
>
>
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe