First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Is there a way to view what machine utilized the packet capture for the trace file?

Identifying what machine was used for the packet capture.

mr.pktsniffer's avatar
1
mr.pktsniffer
asked 2020-12-15 06:51:16 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

Only if 1) the machine doing the capture recorded that information and 2) it's recorded in a form that Wireshark understands.

The pcapng file format supports recording, in the capture file:

  • a text string describing the hardware on which the capture was done;
  • a text string describing the operating system (or other system firmware/software) that hardware was running;
  • a text string describing the application that wrote the capture file;

and Wireshark will display that in the Statistics > Capture File Properties dialog box.

For example, in a capture file I just opened, selecting "Capture File Properties" from the "Statistics" menu reports, among other things:

Hardware: Intel(R) Xeon(R) CPU E5-2630 v2 @ 2.60GHz (with SSE4.2)
OS: Linux 4.3.0-1-amd64
Application: Dumpcap (Wireshark) 2.5.0 (v2.5.0rc0-1906-gb3f0004a)

in that dialog box.

Guy Harris's avatar
19.9k
Guy Harris
answered 2020-12-15 08:27:14 +0000
edit flag offensive 0 remove flag delete link
more

Comments

There are possibly some clues in the capture file that can provide evidence to support, though may not prove, that a particular host actually made this particular capture.

  1. Look for frames that are smaller than 60bytes in size. On the wire, the minimum frame size for Ethernet is 60bytes+4byte FCS, so if you see, say, 42 byte ARP frames, they likely did not come across the wire but were generated locally on the box taking the capture.
  2. IGMP - if the infrastructure has a proper functioning IGMP implementation, a host capturing traffic on its interface should see IGMP queries from the network and only it's reports.

There are ways to make these break but are general rules of thumb. Wireless capture can change the minimum frame size observed; sniffing on a bridge, say from a VM, may not have IGMP running so could show all of the reports from ... (more)

Bob Jones's avatar Bob Jones (2020-12-15 10:38:54 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer