How to tell which interface was used for capturing data in a wireshark capture file

Question

I have an old capture file that needs analysis, and I need to know which interface was chosen to capture the traffic, is there a way to find out?

score 1 · Answer 1 · answered Mar 03 '11 at 11:39

1

Maybe open it in wireshark and have a look at the MAC address of outbound packets, then match it up with the interface in question?

answered Mar 03 '11 at 11:39

SmallClanger

1

The machine where Wireshark was running wouldn't have been injecting traffic into the capture so how would the OP see the MAC address of the adapter that was used for the capture in the capture? Even if the MAC address is there how is the OP going to differentiate it from the sea of other MAC addresses in the capture? – joeqwerty Mar 03 '11 at 13:20
Good point. I tend to only use Wireshark at one endpoint of a connection for short, narrow captures, so I could usually figure it out; but that likely doesn't apply here. – SmallClanger Mar 03 '11 at 13:52
I'm trying to find out if the nic has been changed, or if routing has been changed on the network, so I can't do it this way... – Mr Shoubs Mar 03 '11 at 15:40

score 1 · Accepted Answer · answered Mar 18 '11 at 20:52

1

Sorry this info isn't saved in pcap files. Some capture formats do, pcap doesn't.

answered Mar 18 '11 at 20:52

eric sorenson

score 0 · Answer 3 · answered Mar 03 '11 at 12:08

0

Open the file in wireshark

click statistics from the menu bar then summery.

details are half way down the page

MK

answered Mar 03 '11 at 12:08

45networker

If I load a .pcap file the interface in the summary comes up as `unknown`. – user9517 Mar 03 '11 at 13:37
same here... :( – Mr Shoubs Mar 03 '11 at 15:38

3 Answers3