Ask Your Question
0

Determine the Packet Direction (Inbound or Outbound)

asked 2020-07-27 16:12:27 +0000

Artemis gravatar image

Hello:) I'd like to ask what is the best way to determine if a packet direction is inboud or outbound by using wireshark or pyshark?

Currently i tried two ways: the first one is based on the source and destination IP address of the packets (the packet is outbound if the source ip is the pc ip), while the second one is based on the port numbers (the packet is outbound if the source port number is less than 1024, and the destination port number is more than 1023). However, in both cases, i got exceptions in my captured files.

I wonder if there's any better way to determine the direction of the captured packet? thanks a lot.

edit retag flag offensive close merge delete

Comments

Can you go a down a layer and look at the MAC addresses in the Ethernet header?

Chuckc gravatar imageChuckc ( 2020-07-27 16:26:57 +0000 )edit

Thank you for the kind insight, i will try this way to see if it works better.

Artemis gravatar imageArtemis ( 2020-07-27 16:36:04 +0000 )edit

Hello, did you find a solution? I am trying to solve this problem but till now I did find one, please if you have an idea how to determine the packet inbound or outbound help me! thank you

omar gravatar imageomar ( 2021-10-06 11:41:04 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-07-27 17:46:08 +0000

zchbrsn gravatar image

Artemis,

There are a few ways you can determine if it is inbound or outbound.

  1. By looking in the Source or Destination fields in the packet count pane (tried uploading a picture to assist in locating, but can't post pictures yet).

  2. By looking for "src" or "dst" followed by the IP Address in the details pane of a packet (src = Source, dst = Destination).

  3. Conventionally, if you are looking at the hexdump of a packet, the Source IP Address will come first, followed by the Destination IP Address.

Note: I wouldn't advise determining the orientation of the packet by using the Source or Destination port. It is very likely that common ports are used, but it's not always the case. Protocols can go over virtually any port number in the port range (e.g. HTTP over 8080 which is greater than 1024).

Hope this helps.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2020-07-27 16:12:27 +0000

Seen: 4,330 times

Last updated: Jul 27 '20

Related questions

Capture incoming packets from remote web server

How do I dissect multiple packets?

How do I get relative ack number greater than sequence number?

How do I use the fragment_add_seq_check function in UDP packet reassembly?

Is it possible to use reassembly on non-split packets?

How do I dissect packets if the dissection depends on information from earlier packets?

Little Endian for "Proto_Tree_Add_Bits" Function

How to copy every layer we see under packet details?

How can we dump pcap file data onto CAN bus

Wireshark 2.4.1 GTK Crash on long run