[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 705
  • Last Modified:

Wireshark conversation statistics

Can the experts help me out in understanding the statistics for the conversation for Ethernet in Wireshark. I have a Cisco_2d:fa:22 as Address A and Cisco_4d:f3:11 as Address B. So it looks like it is the ID for the Cisco device. I see their MAC addresses in the Ethernet section in Wireshark. But in the IP section, the source and destination IP addresses keep changing from one packet to another.
I'm not sure I understand that. Thanks
0
leblanc
Asked:
leblanc
  • 3
  • 3
  • 2
  • +2
6 Solutions
 
Netman66Commented:
If they are switches, then that is to be expected if there are workstations attached.  Each workstation is trying to communicate to something and that is what you are seeing.  It's not just the communication between the switches themselves (which would not be much at all).

I'm assuming the last 3 octets in the names are the last octets in their respective MAC addresses (the switches themselves).
0
 
leblancAccountingAuthor Commented:
I am not sure I understand. So how do I find out the IP addresses of those IP addresses?
0
 
Netman66Commented:
Each switch likely has a management vlan/IP address associated with it.

Unless you know the IP address of the switch it will be tough to figure it out looking at the captures.  There is so much traffic going through them you'll get lost looking.

If you have access to the switch, you may find a sticker on each with the MAC address listed.  From your workstation, if you ping the subnet broadcast then run an arp -a command, you can look for that MAC in the table and associate it to an IP.

What are you attempting to do, exactly?
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
leblancAccountingAuthor Commented:
I am just trying to understand the Ethernet conversation statistics. When I look at the IPv4 conversation, I can see that there is a conversation between two layer-3 end-points. So I thought that for the Ethernet conversation, you also have a conversation between 2 end points at layer 2. But what confuses me is I have the MAC address of the 2 end-points. But layer 3 keep changing.
Sorry, I am fairly new to Wireshark.
0
 
Netman66Commented:
Nothing to be sorry about, it's how we learn!!

Yes, layer 3 will keep changing because each packet could be destined to anywhere other than the actual switch.  If there's lots of traffic, then you're going to see plenty of different IP addresses as things attached to the switch communicate.

Layer 2 will be pretty static, yes - because the ends of each link between switches have hard-coded MAC address that do not change.  However, there likely isn't a huge amount of layer 2 chatter unless there is no IP address associated with the vlans on either end.  Given these are switches, there will be plenty of layer 3 stuff flying around.  

I haven't played with Wireshark in ages - I suppose I should fire it up again for old times!
0
 
Darr247Commented:
Have you tried right-clicking on one of the conversations and choosing Follow TCP Stream ?
0
 
giltjrCommented:
If the L3 conversation is between two hosts that are in different IP subnets, the MAC addresses will be that of the router that routes L3 traffic between the two IP subnets.

So say  you address is 10.10.10.22, your mask is 255.255.255.0, and your default gateway is set to 10.10.10.1.  Lets further say you have 4 TCP conversations going on to:

1) 10.10.10.2
2) 10.10.10.50
3) 10.20.20.44
4) 10.20.20.78

The 1st two conversations are to hosts within your IP subnet, so you will their real MAC addresses.

The other two are outside of your subnet so the L3 traffic must be routed via 10.10.10.1.  So for all traffic you see between your computer and those two the IP address with be their IP address, but the MAC will be that of 10.10.10.1.
0
 
leblancAccountingAuthor Commented:
"choosing Follow TCP Stream" is my next step. I did it earlier but I only see garbage.
0
 
giltjrCommented:
It probably because what ever stream you are following does not contain text, that is human readable data.

Example: If you follow a ssh or ssl(like https) session the data is encrypted.  If you follow an HTTP session and the server compresses the responses, Wireshark does not decompress the stream when you follow it.
0
 
Darr247Commented:
But doing that groups the entire conversation from both ends into one pane, rather like a View filter.
0
 
skullnobrainsCommented:
this is what you should see when you sniff traffic on a link between 2 switches

(note : you should probably read each paragraph in reverse order starting with level 3

in terms of addresses
level1 : no address : being on the other end of the cable is enough
level 2 : you see the mac address of the first router or the host's if there is no router along the way.
level 3 : you see the ips of the hosts that communicate (assuming the traffic is not PAT/NATed along the way)

in terms of scope :
level1 - physically connected devices
level2 - members of the same LAN
level3 - members of any number of inter-connected LANs

in terms of addressing
level1 - no adressing performed
level2 - shoutcast : i'm a.b.c.d who has w.x.y.z
level3 - if i'm on the same lan as packet_destination, xfer to level2, else lookup in my routing table and select the router who i will send the packet to

so when you sniff traffic
- you'll see as many mac adresses as you have hosts on that lan (most of which will be associated with a single IP)
- for those of the mac adresses that belong to routers you'll see several ips outside the lan
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

  • 3
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now