THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Why are there two ip addresses in the ip.src field?

I have some pcap files that I am processing with this command:

tshark -T fields -E header=y -e ip.src -e ip.dst

Results are mostly from private network space, but many entries have two ip addresses in the src and dst fields, example below. What does this mean?

ip.src                                ip.dst
10.5.1.17,10.43.102.241   10.5.1.193,10.10.104.210
KLH's avatar
1
KLH
asked 2021-06-15 20:15:48 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

Another protocol in the packet includes those fields.
An easy way to recreate this is to make a capture of a traceroute (tracert on Windows).
In this example I added -e frame.number which would help to inspect the packet in the Wireshark gui.

Intermediate devices will return a Type: 11 (Time-to-live exceeded) message that includes the IP header of the outgoing message. (see rfc792)

$ tshark.exe -r ./210615_traceroute.pcapng -T fields -E header=y -e frame.number -e ip.src -e ip.dst
frame.number    ip.src  ip.dst
1       192.168.200.135 8.8.8.8
2       192.168.200.1,192.168.200.135   192.168.200.135,8.8.8.8
3       192.168.200.135 8.8.8.8
4       192.168.200.1,192.168.200.135   192.168.200.135,8.8.8.8
5       192.168.200.135 8.8.8.8
6       192.168.200.1,192.168.200.135   192.168.200.135,8.8.8.8
7       192.168.200.135 8.8.8.8
8       192.168.10.111,192.168.200.135  192.168.200.135,8.8.8.8
9       192.168.200.135 8.8.8.8


Frame #1 left a system (.135) headed for Google (8.8.8.8) with a TTL of 1 which the gateway router (.1) decremented. The resulting value of 0 caused the router (.1) to send a ICMP Type 11 back in frame #2.
Frame #2 has a source of .1 (the router) and destination (.135) of the system making the traceroute request. The additional IP addresses in Frame #2 are the addresses from Frame #1 (the outgoing request).

traceroute does this three times (the * * * in traceroute output), increments the TTL and tries again.
Rinse and repeat in Frame #7 with a TTL of 2 which the 2nd hop (10.111) sends back in Frame #8.

Chuckc's avatar
3k
Chuckc
answered 2021-06-15 21:28:21 +0000, updated 2021-06-15 21:41:31 +0000
edit flag offensive 0 remove flag delete link
more

Comments

ICMP type 3 and 11 messages are sent with a brief explanation. As explain in the previous comment, packet 1 ttl was 1. The device at 192.168.200.1 tells 192.168.200.135, it dropped the packet because of ttl. In the message, it includes the original source and destination IP addresses, and ports. Wireshark is reporting both addresses.

If you like, start a Wireshark capture on your computer and then do a traceroute to 8.8.8.8. Analyzing the ICMP type 11 message, there will be the outside IP addresses and then original addresses.

I included ICMP type 3 messages, because they use a similiar format.

If you are not interested in seeing the second addresses, you can try the tshark -E occurrence option

BigFatCat's avatar BigFatCat (2021-06-15 22:33:08 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer