network-programmingwiresharkpcaptshark

Comma separated IP addresses in TShark output

I have a bunch of PCAP that I am dissecting programmatically using TShark. Some example bash code:

tshark -r my_pcap.pcap -2 -T fields -E separator=/t \
    -e frame.time_epoch \
    -e ip.src \
    -e ip.dst \
    -e frame.protocols \
    > my_output.tsv

Occasionally, I will get output where the ip.src and ip.dst fields have two IP addresses, separated by a comma (e.g., 192.168.19.1,192.168.10.10). I've got two questions:

  1. What is happening to produce such an output? Are there specific situations in which this will occur?
  2. Is there a best practice to handle this to ensure accurate information and/or retain maximum information?
Solution

  • To answer your first question: There may be more than one source and destination IP address pairs due to such things as tunneling protocols, such as IP/GRE/IP, or certain ICMP error messages, such as "Destination Unreachable" messages, which, as stated in RFC792, include "The internet header plus the first 64 bits of the original datagram's data." in its payload.

    I don't understand what you mean by your second question regarding best practices.