Solved

Wireshark conversation statistics

Posted on 2014-02-26
11
622 Views
Last Modified: 2014-03-13
Can the experts help me out in understanding the statistics for the conversation for Ethernet in Wireshark. I have a Cisco_2d:fa:22 as Address A and Cisco_4d:f3:11 as Address B. So it looks like it is the ID for the Cisco device. I see their MAC addresses in the Ethernet section in Wireshark. But in the IP section, the source and destination IP addresses keep changing from one packet to another.
I'm not sure I understand that. Thanks
0
Comment
Question by:leblanc
  • 3
  • 3
  • 2
  • +2
11 Comments
 
LVL 51

Accepted Solution

by:
Netman66 earned 251 total points
ID: 39890957
If they are switches, then that is to be expected if there are workstations attached.  Each workstation is trying to communicate to something and that is what you are seeing.  It's not just the communication between the switches themselves (which would not be much at all).

I'm assuming the last 3 octets in the names are the last octets in their respective MAC addresses (the switches themselves).
0
 
LVL 1

Author Comment

by:leblanc
ID: 39890969
I am not sure I understand. So how do I find out the IP addresses of those IP addresses?
0
 
LVL 51

Assisted Solution

by:Netman66
Netman66 earned 251 total points
ID: 39890975
Each switch likely has a management vlan/IP address associated with it.

Unless you know the IP address of the switch it will be tough to figure it out looking at the captures.  There is so much traffic going through them you'll get lost looking.

If you have access to the switch, you may find a sticker on each with the MAC address listed.  From your workstation, if you ping the subnet broadcast then run an arp -a command, you can look for that MAC in the table and associate it to an IP.

What are you attempting to do, exactly?
0
 
LVL 1

Author Comment

by:leblanc
ID: 39890979
I am just trying to understand the Ethernet conversation statistics. When I look at the IPv4 conversation, I can see that there is a conversation between two layer-3 end-points. So I thought that for the Ethernet conversation, you also have a conversation between 2 end points at layer 2. But what confuses me is I have the MAC address of the 2 end-points. But layer 3 keep changing.
Sorry, I am fairly new to Wireshark.
0
 
LVL 51

Assisted Solution

by:Netman66
Netman66 earned 251 total points
ID: 39890987
Nothing to be sorry about, it's how we learn!!

Yes, layer 3 will keep changing because each packet could be destined to anywhere other than the actual switch.  If there's lots of traffic, then you're going to see plenty of different IP addresses as things attached to the switch communicate.

Layer 2 will be pretty static, yes - because the ends of each link between switches have hard-coded MAC address that do not change.  However, there likely isn't a huge amount of layer 2 chatter unless there is no IP address associated with the vlans on either end.  Given these are switches, there will be plenty of layer 3 stuff flying around.  

I haven't played with Wireshark in ages - I suppose I should fire it up again for old times!
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 44

Expert Comment

by:Darr247
ID: 39890997
Have you tried right-clicking on one of the conversations and choosing Follow TCP Stream ?
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 83 total points
ID: 39891633
If the L3 conversation is between two hosts that are in different IP subnets, the MAC addresses will be that of the router that routes L3 traffic between the two IP subnets.

So say  you address is 10.10.10.22, your mask is 255.255.255.0, and your default gateway is set to 10.10.10.1.  Lets further say you have 4 TCP conversations going on to:

1) 10.10.10.2
2) 10.10.10.50
3) 10.20.20.44
4) 10.20.20.78

The 1st two conversations are to hosts within your IP subnet, so you will their real MAC addresses.

The other two are outside of your subnet so the L3 traffic must be routed via 10.10.10.1.  So for all traffic you see between your computer and those two the IP address with be their IP address, but the MAC will be that of 10.10.10.1.
0
 
LVL 1

Author Comment

by:leblanc
ID: 39892210
"choosing Follow TCP Stream" is my next step. I did it earlier but I only see garbage.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39892247
It probably because what ever stream you are following does not contain text, that is human readable data.

Example: If you follow a ssh or ssl(like https) session the data is encrypted.  If you follow an HTTP session and the server compresses the responses, Wireshark does not decompress the stream when you follow it.
0
 
LVL 44

Assisted Solution

by:Darr247
Darr247 earned 83 total points
ID: 39893357
But doing that groups the entire conversation from both ends into one pane, rather like a View filter.
0
 
LVL 26

Assisted Solution

by:skullnobrains
skullnobrains earned 83 total points
ID: 39893452
this is what you should see when you sniff traffic on a link between 2 switches

(note : you should probably read each paragraph in reverse order starting with level 3

in terms of addresses
level1 : no address : being on the other end of the cable is enough
level 2 : you see the mac address of the first router or the host's if there is no router along the way.
level 3 : you see the ips of the hosts that communicate (assuming the traffic is not PAT/NATed along the way)

in terms of scope :
level1 - physically connected devices
level2 - members of the same LAN
level3 - members of any number of inter-connected LANs

in terms of addressing
level1 - no adressing performed
level2 - shoutcast : i'm a.b.c.d who has w.x.y.z
level3 - if i'm on the same lan as packet_destination, xfer to level2, else lookup in my routing table and select the router who i will send the packet to

so when you sniff traffic
- you'll see as many mac adresses as you have hosts on that lan (most of which will be associated with a single IP)
- for those of the mac adresses that belong to routers you'll see several ips outside the lan
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Join & Write a Comment

The article will include the best Data Recovery Tools along with their Features, Capabilities, and their Download Links. Hope you’ll enjoy it and will choose the one as required by you.
Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Using Adobe Premiere Pro, the viewer will learn how to set up a sequence with proper settings, importing pictures, rendering, and exporting the finished product.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now