First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Determine the Packet Direction (Inbound or Outbound)

Hello:) I'd like to ask what is the best way to determine if a packet direction is inboud or outbound by using wireshark or pyshark?

Currently i tried two ways: the first one is based on the source and destination IP address of the packets (the packet is outbound if the source ip is the pc ip), while the second one is based on the port numbers (the packet is outbound if the source port number is less than 1024, and the destination port number is more than 1023). However, in both cases, i got exceptions in my captured files.

I wonder if there's any better way to determine the direction of the captured packet? thanks a lot.

Artemis's avatar
5
Artemis
asked 2020-07-27 16:12:27 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Can you go a down a layer and look at the MAC addresses in the Ethernet header?

Chuckc's avatar Chuckc (2020-07-27 16:26:57 +0000) edit
more
  • delete

Thank you for the kind insight, i will try this way to see if it works better.

Artemis's avatar Artemis (2020-07-27 16:36:04 +0000) edit
more
  • delete

Hello, did you find a solution? I am trying to solve this problem but till now I did find one, please if you have an idea how to determine the packet inbound or outbound help me! thank you

omar's avatar omar (2021-10-06 11:41:04 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

Artemis,

There are a few ways you can determine if it is inbound or outbound.

  1. By looking in the Source or Destination fields in the packet count pane (tried uploading a picture to assist in locating, but can't post pictures yet).

  2. By looking for "src" or "dst" followed by the IP Address in the details pane of a packet (src = Source, dst = Destination).

  3. Conventionally, if you are looking at the hexdump of a packet, the Source IP Address will come first, followed by the Destination IP Address.

Note: I wouldn't advise determining the orientation of the packet by using the Source or Destination port. It is very likely that common ports are used, but it's not always the case. Protocols can go over virtually any port number in the port range (e.g. HTTP over 8080 which is greater than 1024).

Hope this helps.

zchbrsn's avatar
1
zchbrsn
answered 2020-07-27 17:46:08 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer