Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1357
  • Last Modified:

How to interpret Wireshark statistics endpoints screen output.

If I run the statistics>endpoints on a trace I come up with Ethernet tab (6), IPv4 (19) and TCP (715)

It appears to me to mean that there are 6 mac addresses communicating on the spanned port, and those mac addresses are using 19 ip addresses and those 19 ip addresses are using using 715 ip and port combinations?

Is this correct or do I not understand correctly?
0
Dragon0x40
Asked:
Dragon0x40
2 Solutions
 
arnoldCommented:
It is partially incorrect.

Ethernet deals with MAC addresses seen.
IPv4 Deals with how many distinct IPs are seen (both local and remote, to and from traffic).
TCP deals with breaks down by the distinct on ip/port (i.e. you have 5 unique devices plus broadcast that are accessing 14 other unique IPs which at the time of the snapshot might mean that each of the 5 generated many web requests. While the destination ip/port remains the same, the source of the request changes. Sort by address in the tcp tab, and you will see that your local hosts will have multiple port references.)
0
 
Rick_O_ShayCommented:
It means that is what has been seen sending packets at the point you are capturing but remember you are going to see IP and port information for such things as broadcasts and multicasts etc. which are all going to be coming from the same switch or router MAC address.

Also every session the device is a part of will be another endpoint with the IP and TCP/UDP info of the remote partner device.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now