First time here? Check out the FAQ!

Ask Your Question
0

Is there a way to view what machine utilized the packet capture for the trace file?
 
  
 
  
 
 
 
 
 
 
    
        
        asked Dec 15 '0  
 
 mr.pktsniffer gravatar image  
 
 
 
 
 
Identifying what machine was used for the packet capture.
 
Preview: (hide)
 
 
 
 
          
 
add a comment
 
 
 
 
 
 1 Answer
    
 
 
                    Sort by »
                     oldest newest most voted 
 
 
 
 
 
  
 
 
 
 
0
 
 
  
 
 
 
 
 
 
 
 
    
        
        answered Dec 15 '0  
 
 Guy Harris gravatar image  
 
 
 
 
 
Only if 1) the machine doing the capture recorded that information and 2) it's recorded in a form that Wireshark understands.
 
The pcapng file format supports recording, in the capture file:
 
     
  • a text string describing the hardware on which the capture was done;
    •  
  • a text string describing the operating system (or other system firmware/software) that hardware was running;
    •  
  • a text string describing the application that wrote the capture file;
    •  
 
and Wireshark will display that in the Statistics > Capture File Properties dialog box.
 
For example, in a capture file I just opened, selecting "Capture File Properties" from the "Statistics" menu reports, among other things:
 
Hardware: Intel(R) Xeon(R) CPU E5-2630 v2 @ 2.60GHz (with SSE4.2)
OS: Linux 4.3.0-1-amd64
Application: Dumpcap (Wireshark) 2.5.0 (v2.5.0rc0-1906-gb3f0004a)
 
in that dialog box.
 
Preview: (hide)
 
 
 
 
         
        link
        
 
Comments
There are possibly some clues in the capture file that can provide evidence to support, though may not prove, that a particular host actually made this particular capture.
  1. Look for frames that are smaller than 60bytes in size.  On the wire, the minimum frame size for Ethernet is 60bytes+4byte FCS, so if you see, say, 42 byte ARP frames, they likely did not come across the wire but were generated locally on the box taking the capture.
  2. IGMP - if the infrastructure has a proper functioning IGMP implementation, a host capturing traffic on its interface should see IGMP queries from the network and only it's reports.  
There are ways to make these break but are general rules of thumb.  Wireless capture can change the minimum frame size observed; sniffing on a bridge, say from a VM, may not have IGMP running so could show all of the reports from ...(more)
Bob Jones gravatar imageBob Jones (
    
        Dec 15 '0
    )
add a comment
 
 
 
 
  
 
 
 
 

    
        Your Answer
    

 
 Please start posting anonymously - your entry will be published after you log in or create a new account.

    

 
 
Add Answer
 
 
 
 
 
 
 
 
   
  
 
   
 
 
 
 
 
 
 
 
Question Tools
  
 
 
 
 
 subscribe to rss feed 
 
 
 
 
 
 
Stats
 

        Asked:  Dec 15 '0  
 
 
        Seen: 3,807 times 
 

        Last updated: Dec 15 '20 
 
 
 
Related questions
 
 
 Update the Wireshark OUI manufacturer database? 
 
 Dell Latitude 3580 is dead after Wireshark first start