0

I'm a newbie with tcpdump. My setup is simple:

  • 1 machine A behind a router B
  • 1 machine C outside, on the Internet

On machine A, I ping machine C, and I want to track what's happening with tcpdump:

  • tcpdump on machine A shows an ICMP packet from IP (A) to IP (C)
  • Then tcpdump on machine C shows an ICMP packet from IP (B) to IP (C)
  • Then tcpdump on machine C sends an echo reply from IP (C) to IP (B)
  • Then tcpdump on machine A shows an echo reply from IP (C) to IP (A)

So, at some point in router B (I cannot run tcpdump on the router), the IPs are converted from IP (B) and IP (A). I assume that the "real destination IP" = IP (A) should be stored somewhere deep within the ICMP packet, so that the router can redirect it correctly. But I can't find any option of tcpdump to show this "real destination IP" when it's run on machine C? What is this option, or how can I see it?

DavidPostill
  • 153,128
  • 77
  • 353
  • 394
xtof54
  • 103
  • 1
  • 4
  • 1
    "I assume that the "real destination IP" = IP (A) should be stored somewhere deep within the ICMP packet, so that the router can redirect it correctly." Incorrect assumption, you need to learn about [Network Address Translation (NAT)](http://www.firewall.cx/networking-topics/network-address-translation-nat/227-nat-concepts.html) – DavidPostill Sep 02 '18 at 19:53
  • Thanks a lot for the link ! It gives interesting insight for my question. There is one big difference though: the first answer in this link assumes that ports are used to transfer the packet, but in my question, I'm asking about ICMP paquets, which, as far as I know, are not associated to ports. But I guess there is another kind of "identifier" that is used for ICMP paquets instead of ports; I'll look for that. Thanks again ! – xtof54 Sep 03 '18 at 03:48

0 Answers0