Confusing swap of text2pcap in/outbound addresses
Hi Forum,
I've been working with some SCTP dumps printed by Chrome logs, using text2pcap -D -i 132
to have it prepend a dummy IP header, and I am confused (and curious!) about why Wireshark flips the source/destination addresses for the outbound case, instead of the inbound one.
A couple packets printed by Chrome in its logs would look like this:
O 22:50:10.356 0000 13 88 13 88 00 00 00 00 (...) # SCTP_PACKET DcSctpTransport0
I 22:50:10.356 0000 13 88 13 88 00 00 00 00 (...) # SCTP_PACKET DcSctpTransport0
Actual payloads don't matter. The thing is that this ends up showing like this in Wireshark:
No. | Src | Dst
1 | 10.2.2.2 | 10.1.1.1
2 | 10.1.1.1 | 10.2.2.2
I am just wanting to learn here (and maybe help any interested readers in the future) and understand better:
Why is the Outbound direction flipped instead of the Inbound?
My thought is that given that this is a capture generated from an application (Chrome in this case), the local side, "us", should be the source address for O
utbound packets (10.1.1.1), and the remote side, should be the outbound destination (10.2.2.2). By that logic, it is the I
nbound ones that should have the address swapped. But Wireshark does the opposite of what I'd find intuitive.
I did my research; this has been the case since Commit 6022ea71 (Flip MAC and IP addresses, and TCP/UDP/SCTP ports, for outgoing packets), which ended up evolving to this code. However, the reasoning behind flipping the outbound instead of the inbound has been kind of lost it seems (https://code.wireshark.org/ is dead).