In diary entry "TShark & jq", I mention that a single packet can have more than one ip.src entry. I will illustrate this here. We are looking at a capture of network traffic where TCP SYN packets can not be delivered: "Destination unreachable". Here is the view with TShark: Notice TCP packets going from 192.168.10.10 to 192.168.10.1, and ICMP packets going from 192.168.10.1 to 192.168.10.10. If we run a TShark command to extract all ip.src values, we get this: For ICMP packets, we have 2 IPv4 addresses for the ip.src field: 192.168.10.1 and 192.168.10.10. This is happening, because the ICMP packet embeds the IP packet to which it is replying. You can see this here in Wireshark: The ICMP packet, encapsulated in an IP packet, has ip.src value of 192.168.10.1. But it also embeds the IP packet (with TCP) to which it is replying. That one has a src.ip value equal to 192.168.10.10. These are different fields, but both are accessed via ip.src and yield different values.
Didier Stevens |
DidierStevens 638 Posts ISC Handler Feb 28th 2022 |
Thread locked Subscribe |
Feb 28th 2022 2 months ago |
Sign Up for Free or Log In to start participating in the conversation!