On Aug 21, 2014, at 1:30 AM, Vishnu Bhatt <[email protected]> wrote:

> Hello,
>  
> I have a pcap file and I want to know on which machine is the file has been 
> captured.
> Is there a way to know the Mac or IP address of the machine/switch on which 
> the file has been taken?

Not reliably; the pcap file format:

        http://www.tcpdump.org/manpages/pcap-savefile.5.html

does not include any information to identify the machine on which the file has 
been captured.

You *might* be able to infer it by looking for, for example, packets less than 
60 bytes in an Ethernet capture, as those are probably outgoing packets, in 
which case the source MAC address will be the MAC address of the interface on 
which the packet was sent out.  There's no guarantee that this will work, 
however.

For a pcap-ng file:

        http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html

the Section Header Block might give some information about the machine on which 
the packet capture was done, and the Interface Description Blocks (possibly 
plural!) might give the IP and/or MAC addresses of the interfaces on which the 
capture was done, but those are all options and are not guaranteed to be in the 
capture file, so you might have to rely on hacks such as the one I described 
above for pcap files.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <[email protected]>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:[email protected]?subject=unsubscribe

Reply via email to