I have a bunch of PCAP that I am dissecting programmatically using TShark. Some example bash code:
tshark -r my_pcap.pcap -2 -T fields -E separator=/t \
-e frame.time_epoch \
-e ip.src \
-e ip.dst \
-e frame.protocols \
> my_output.tsv
Occasionally, I will get output where the ip.src
and ip.dst
fields have two IP addresses, separated by a comma (e.g., 192.168.19.1,192.168.10.10
). I've got two questions:
To answer your first question: There may be more than one source and destination IP address pairs due to such things as tunneling protocols, such as IP/GRE/IP, or certain ICMP error messages, such as "Destination Unreachable" messages, which, as stated in RFC792, include "The internet header plus the first 64 bits of the original datagram's data." in its payload.
I don't understand what you mean by your second question regarding best practices.