Is there a way to view what machine utilized the packet capture for the trace file?
Identifying what machine was used for the packet capture.
Identifying what machine was used for the packet capture.
Only if 1) the machine doing the capture recorded that information and 2) it's recorded in a form that Wireshark understands.
The pcapng file format supports recording, in the capture file:
and Wireshark will display that in the Statistics > Capture File Properties dialog box.
For example, in a capture file I just opened, selecting "Capture File Properties" from the "Statistics" menu reports, among other things:
Hardware: Intel(R) Xeon(R) CPU E5-2630 v2 @ 2.60GHz (with SSE4.2)
OS: Linux 4.3.0-1-amd64
Application: Dumpcap (Wireshark) 2.5.0 (v2.5.0rc0-1906-gb3f0004a)
in that dialog box.
There are possibly some clues in the capture file that can provide evidence to support, though may not prove, that a particular host actually made this particular capture.
There are ways to make these break but are general rules of thumb. Wireless capture can change the minimum frame size observed; sniffing on a bridge, say from a VM, may not have IGMP running so could show all of the reports from ...(more)
Please start posting anonymously - your entry will be published after you log in or create a new account.
Asked: 2020-12-15 06:51:16 +0000
Seen: 3,714 times
Last updated: Dec 15 '20