Ask Your Question
0

The ip-address of a pcap file “question”

asked 2018-05-09 18:45:43 +0000

QuestionMark123 gravatar image

Hi everyone,

I'm an beginning IT student with zero wireshark knowledge. The objective is to find "interesting" activities in a pcap file we've received from school. First of all I need to find out what the IP-address is of the person who owned the pcap file.

I've already found multiple addresses and a few that show up a lot (one of those are probably the IP-address I'm looking for). Any Idea how I can find that.

edit retag flag offensive close merge delete

Comments

What do you mean by "the IP-address ... of the person who owned the pcap file"? Do you mean "the IP address of the machine on which the capture was done"?

Guy Harris gravatar imageGuy Harris ( 2018-05-09 21:39:54 +0000 )edit

Yes that’s right! I’m looking for the ip address of the person who did the capturing!

QuestionMark123 gravatar imageQuestionMark123 ( 2018-05-10 05:52:49 +0000 )edit
add a comment

2 Answers

Sort by » oldest newest most voted
0

answered 2025-12-03 09:46:03 +0000

grahamb gravatar image

Open the capture file and then use the menu item Statistics -> Capture File Properties. Amongst the data displayed is info about the capture. Unfortunately it doesn't contain any info about the "user" who made the capture.

If you display the Statistics -> Conversations dialog you may be able to identify the device sending the most packets which is likely what you want.

edit flag offensive delete link more
add a comment
0

answered 2025-12-02 12:22:43 +0000

gielo gravatar image

Wireshark does not need an IP address to capture traffic as it is just listening to the selected NIC interface. The reason why I am saying this is when you use a port mirror on a switch the interface will be active but you cannot seize an IP address from the DHCP server, as a port mirror is just one way traffic to the Wirehark PC. The same applies when you are using a TAP which allows for inline capturing of traffic

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2018-05-09 18:45:43 +0000

Seen: 1,346 times

Last updated: Dec 03

Related questions

How to set packet metadata in realtime?

Domain Client Restartup - Ultimate Challenge

How to convert Pcapng file to pcap file by Tshark

Where are IP headers in Monitor mode capture?

Crashing Wireshark: Enter ip.host==10.x.

Unique IP addresses

how to get unique ip address had udp length = 94 using tshark

On Windows, how can I get a list of source IP addresses in network traffic with duplicates removed?

How to find external device's subnet when IP is known?

lua dissector ip address subnet