I have some pcap files that I am processing with this command:
tshark -T fields -E header=y -e ip.src -e ip.dst
Results are mostly from private network space, but many entries have two ip addresses in the src and dst fields, example below. What does this mean?
ip.src ip.dst
10.5.1.17,10.43.102.241 10.5.1.193,10.10.104.210
Another protocol in the packet includes those fields.
An easy way to recreate this is to make a capture of a traceroute (tracert on Windows).
In this example I added -e frame.number which would help to inspect the packet in the Wireshark gui.
Intermediate devices will return a Type: 11 (Time-to-live exceeded) message that includes the IP header of the outgoing message. (see rfc792)
$ tshark.exe -r ./210615_traceroute.pcapng -T fields -E header=y -e frame.number -e ip.src -e ip.dst frame.number ip.src ip.dst 1 192.168.200.135 8.8.8.8 2 192.168.200.1,192.168.200.135 192.168.200.135,8.8.8.8 3 192.168.200.135 8.8.8.8 4 192.168.200.1,192.168.200.135 192.168.200.135,8.8.8.8 5 192.168.200.135 8.8.8.8 6 192.168.200.1,192.168.200.135 192.168.200.135,8.8.8.8 7 192.168.200.135 8.8.8.8 8 192.168.10.111,192.168.200.135 192.168.200.135,8.8.8.8 9 192.168.200.135 8.8.8.8
Frame #1 left a system (.135) headed for Google (8.8.8.8) with a TTL of 1 which the gateway router (.1) decremented. The resulting value of 0 caused the router (.1) to send a ICMP Type 11 back in frame #2.
Frame #2 has a source of .1 (the router) and destination (.135) of the system making the traceroute request. The additional IP addresses in Frame #2 are the addresses from Frame #1 (the outgoing request).
traceroute does this three times (the * * * in traceroute output), increments the TTL and tries again.
Rinse and repeat in Frame #7 with a TTL of 2 which the 2nd hop (10.111) sends back in Frame #8.
ICMP type 3 and 11 messages are sent with a brief explanation. As explain in the previous comment, packet 1 ttl was 1. The device at 192.168.200.1 tells 192.168.200.135, it dropped the packet because of ttl. In the message, it includes the original source and destination IP addresses, and ports. Wireshark is reporting both addresses.
If you like, start a Wireshark capture on your computer and then do a traceroute to 8.8.8.8. Analyzing the ICMP type 11 message, there will be the outside IP addresses and then original addresses.
I included ICMP type 3 messages, because they use a similiar format.
If you are not interested in seeing the second addresses, you can try the tshark -E occurrence option
Asked: 2021-06-15 20:15:48 +0000
Seen: 1,277 times
Last updated: Jun 15 '21
