Ask Your Question
0

Is there a way to view what machine utilized the packet capture for the trace file?

asked 2020-12-15 06:51:16 +0000

mr.pktsniffer gravatar image

Identifying what machine was used for the packet capture.

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-12-15 08:27:14 +0000

Guy Harris gravatar image

Only if 1) the machine doing the capture recorded that information and 2) it's recorded in a form that Wireshark understands.

The pcapng file format supports recording, in the capture file:

  • a text string describing the hardware on which the capture was done;
  • a text string describing the operating system (or other system firmware/software) that hardware was running;
  • a text string describing the application that wrote the capture file;

and Wireshark will display that in the Statistics > Capture File Properties dialog box.

For example, in a capture file I just opened, selecting "Capture File Properties" from the "Statistics" menu reports, among other things:

Hardware: Intel(R) Xeon(R) CPU E5-2630 v2 @ 2.60GHz (with SSE4.2)
OS: Linux 4.3.0-1-amd64
Application: Dumpcap (Wireshark) 2.5.0 (v2.5.0rc0-1906-gb3f0004a)

in that dialog box.

edit flag offensive delete link more

Comments

There are possibly some clues in the capture file that can provide evidence to support, though may not prove, that a particular host actually made this particular capture.

  1. Look for frames that are smaller than 60bytes in size. On the wire, the minimum frame size for Ethernet is 60bytes+4byte FCS, so if you see, say, 42 byte ARP frames, they likely did not come across the wire but were generated locally on the box taking the capture.
  2. IGMP - if the infrastructure has a proper functioning IGMP implementation, a host capturing traffic on its interface should see IGMP queries from the network and only it's reports.

There are ways to make these break but are general rules of thumb. Wireless capture can change the minimum frame size observed; sniffing on a bridge, say from a VM, may not have IGMP running so could show all of the reports from ...(more)

Bob Jones gravatar imageBob Jones ( 2020-12-15 10:38:54 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2020-12-15 06:51:16 +0000

Seen: 3,816 times

Last updated: Dec 15 '20

Related questions

Update the Wireshark OUI manufacturer database?

Dell Latitude 3580 is dead after Wireshark first start