 Hello, this is Stevens here, senior handler at the internet storm center. I wrote a blog post about network traffic where packets can contain multiple IP addresses and the effects this has on T-Shark and also on Wireshark. So let me illustrate this here. So I have here Wireshark where I opened a simple packet capture where you have three TCP packets, a SIN packet and a SIN flag is set as you can see here and we have each TCP packet that has a reply which is an ICMP packet. So let's take the first TCP packet and so the different layers here, you have the frame, internet protocol IPv4 and transmission control protocol and if we open here IP, we have the source IP address. So source IP address, okay, so IP.source which is 192.168.1010 and the destination IP address 192.168.10.1 and that is IP.gst and here the second one that is an ICMP packet. So here the layers that we have frame, internet, IPv4 and ICMP and if you look into here IPv4 again you have the source IP address which is the field name IP.src and that is 192.168.10.1 and the destination IP address 192.168.1010 so that is IP.gst. So a SIN packet is being sent but it cannot be delivered and an ICMP is sent back to tell that the destination is unreachable. Now, so here we have the IP address used by the ICMP packet but if we drill down into the ICMP packet we have some information like destination reachable, host administrative, the prohibited checksums and then the IP layer and TCP layer of the first TCP packet, that SIN packet that is embedded in the ICMP level layer. So here again we have IPv4 and here again we have TCP just like in the first packet and if we drill down here we see the source address of that embedded SIN packet 192.168.10.10 and that field is also named IP.src, the destination that is 192.168.10.1 and that is also named IP.gst. So, for example, if I filter source, IP.source 192.168.10.1 then here we have the ICMP packets because that's where they come from and if I filter on 10.10, then I have the SIN packets but also again the ICMP packets because now this display filter is matching here this address so inside the ICMP packet you have embedded the IPv4 layer of the previous packet to which it is responding and that filter also applies here. So, when you have packets like this when you can have more than one value for the IP.source or IP.destination, you have a fix like this on filtering and it's also something you have with D-shark. If I run D-shark, so I read this capture you can see from 10.10.10.10.1 and vice versa DCPs and ICMPs and if I extract, for example, the IP.source field sorry, it is fields like this then you see for the TCP SIN packets you have only one value but for the ICMP packets you have two values so that is something to keep in mind that some packets can contain more than one value for a particular field like IP.source or IP.dest and that has an influence for example on the display filters or the result of exporting values with D-shark.