Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Wireshark conversation statistics

Posted on 2014-02-26
11
Medium Priority
?
681 Views
Last Modified: 2014-03-13
Can the experts help me out in understanding the statistics for the conversation for Ethernet in Wireshark. I have a Cisco_2d:fa:22 as Address A and Cisco_4d:f3:11 as Address B. So it looks like it is the ID for the Cisco device. I see their MAC addresses in the Ethernet section in Wireshark. But in the IP section, the source and destination IP addresses keep changing from one packet to another.
I'm not sure I understand that. Thanks
0
Comment
Question by:leblanc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +2
11 Comments
 
LVL 51

Accepted Solution

by:
Netman66 earned 1004 total points
ID: 39890957
If they are switches, then that is to be expected if there are workstations attached.  Each workstation is trying to communicate to something and that is what you are seeing.  It's not just the communication between the switches themselves (which would not be much at all).

I'm assuming the last 3 octets in the names are the last octets in their respective MAC addresses (the switches themselves).
0
 
LVL 1

Author Comment

by:leblanc
ID: 39890969
I am not sure I understand. So how do I find out the IP addresses of those IP addresses?
0
 
LVL 51

Assisted Solution

by:Netman66
Netman66 earned 1004 total points
ID: 39890975
Each switch likely has a management vlan/IP address associated with it.

Unless you know the IP address of the switch it will be tough to figure it out looking at the captures.  There is so much traffic going through them you'll get lost looking.

If you have access to the switch, you may find a sticker on each with the MAC address listed.  From your workstation, if you ping the subnet broadcast then run an arp -a command, you can look for that MAC in the table and associate it to an IP.

What are you attempting to do, exactly?
0
Plesk WordPress Toolkit

Plesk's WordPress Toolkit allows server administrators, resellers and customers to manage their WordPress instances, enabling a variety of development workflows for WordPress admins of all skill levels, from beginners to pros.

See why 2/3 of Plesk servers use it.

 
LVL 1

Author Comment

by:leblanc
ID: 39890979
I am just trying to understand the Ethernet conversation statistics. When I look at the IPv4 conversation, I can see that there is a conversation between two layer-3 end-points. So I thought that for the Ethernet conversation, you also have a conversation between 2 end points at layer 2. But what confuses me is I have the MAC address of the 2 end-points. But layer 3 keep changing.
Sorry, I am fairly new to Wireshark.
0
 
LVL 51

Assisted Solution

by:Netman66
Netman66 earned 1004 total points
ID: 39890987
Nothing to be sorry about, it's how we learn!!

Yes, layer 3 will keep changing because each packet could be destined to anywhere other than the actual switch.  If there's lots of traffic, then you're going to see plenty of different IP addresses as things attached to the switch communicate.

Layer 2 will be pretty static, yes - because the ends of each link between switches have hard-coded MAC address that do not change.  However, there likely isn't a huge amount of layer 2 chatter unless there is no IP address associated with the vlans on either end.  Given these are switches, there will be plenty of layer 3 stuff flying around.  

I haven't played with Wireshark in ages - I suppose I should fire it up again for old times!
0
 
LVL 44

Expert Comment

by:Darr247
ID: 39890997
Have you tried right-clicking on one of the conversations and choosing Follow TCP Stream ?
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 332 total points
ID: 39891633
If the L3 conversation is between two hosts that are in different IP subnets, the MAC addresses will be that of the router that routes L3 traffic between the two IP subnets.

So say  you address is 10.10.10.22, your mask is 255.255.255.0, and your default gateway is set to 10.10.10.1.  Lets further say you have 4 TCP conversations going on to:

1) 10.10.10.2
2) 10.10.10.50
3) 10.20.20.44
4) 10.20.20.78

The 1st two conversations are to hosts within your IP subnet, so you will their real MAC addresses.

The other two are outside of your subnet so the L3 traffic must be routed via 10.10.10.1.  So for all traffic you see between your computer and those two the IP address with be their IP address, but the MAC will be that of 10.10.10.1.
0
 
LVL 1

Author Comment

by:leblanc
ID: 39892210
"choosing Follow TCP Stream" is my next step. I did it earlier but I only see garbage.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39892247
It probably because what ever stream you are following does not contain text, that is human readable data.

Example: If you follow a ssh or ssl(like https) session the data is encrypted.  If you follow an HTTP session and the server compresses the responses, Wireshark does not decompress the stream when you follow it.
0
 
LVL 44

Assisted Solution

by:Darr247
Darr247 earned 332 total points
ID: 39893357
But doing that groups the entire conversation from both ends into one pane, rather like a View filter.
0
 
LVL 27

Assisted Solution

by:skullnobrains
skullnobrains earned 332 total points
ID: 39893452
this is what you should see when you sniff traffic on a link between 2 switches

(note : you should probably read each paragraph in reverse order starting with level 3

in terms of addresses
level1 : no address : being on the other end of the cable is enough
level 2 : you see the mac address of the first router or the host's if there is no router along the way.
level 3 : you see the ips of the hosts that communicate (assuming the traffic is not PAT/NATed along the way)

in terms of scope :
level1 - physically connected devices
level2 - members of the same LAN
level3 - members of any number of inter-connected LANs

in terms of addressing
level1 - no adressing performed
level2 - shoutcast : i'm a.b.c.d who has w.x.y.z
level3 - if i'm on the same lan as packet_destination, xfer to level2, else lookup in my routing table and select the router who i will send the packet to

so when you sniff traffic
- you'll see as many mac adresses as you have hosts on that lan (most of which will be associated with a single IP)
- for those of the mac adresses that belong to routers you'll see several ips outside the lan
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
In this article, we’ll look at how to deploy ProxySQL.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question