Solved

Wireshark conversation statistics

Posted on 2014-02-26
11
629 Views
Last Modified: 2014-03-13
Can the experts help me out in understanding the statistics for the conversation for Ethernet in Wireshark. I have a Cisco_2d:fa:22 as Address A and Cisco_4d:f3:11 as Address B. So it looks like it is the ID for the Cisco device. I see their MAC addresses in the Ethernet section in Wireshark. But in the IP section, the source and destination IP addresses keep changing from one packet to another.
I'm not sure I understand that. Thanks
0
Comment
Question by:leblanc
  • 3
  • 3
  • 2
  • +2
11 Comments
 
LVL 51

Accepted Solution

by:
Netman66 earned 251 total points
ID: 39890957
If they are switches, then that is to be expected if there are workstations attached.  Each workstation is trying to communicate to something and that is what you are seeing.  It's not just the communication between the switches themselves (which would not be much at all).

I'm assuming the last 3 octets in the names are the last octets in their respective MAC addresses (the switches themselves).
0
 
LVL 1

Author Comment

by:leblanc
ID: 39890969
I am not sure I understand. So how do I find out the IP addresses of those IP addresses?
0
 
LVL 51

Assisted Solution

by:Netman66
Netman66 earned 251 total points
ID: 39890975
Each switch likely has a management vlan/IP address associated with it.

Unless you know the IP address of the switch it will be tough to figure it out looking at the captures.  There is so much traffic going through them you'll get lost looking.

If you have access to the switch, you may find a sticker on each with the MAC address listed.  From your workstation, if you ping the subnet broadcast then run an arp -a command, you can look for that MAC in the table and associate it to an IP.

What are you attempting to do, exactly?
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 1

Author Comment

by:leblanc
ID: 39890979
I am just trying to understand the Ethernet conversation statistics. When I look at the IPv4 conversation, I can see that there is a conversation between two layer-3 end-points. So I thought that for the Ethernet conversation, you also have a conversation between 2 end points at layer 2. But what confuses me is I have the MAC address of the 2 end-points. But layer 3 keep changing.
Sorry, I am fairly new to Wireshark.
0
 
LVL 51

Assisted Solution

by:Netman66
Netman66 earned 251 total points
ID: 39890987
Nothing to be sorry about, it's how we learn!!

Yes, layer 3 will keep changing because each packet could be destined to anywhere other than the actual switch.  If there's lots of traffic, then you're going to see plenty of different IP addresses as things attached to the switch communicate.

Layer 2 will be pretty static, yes - because the ends of each link between switches have hard-coded MAC address that do not change.  However, there likely isn't a huge amount of layer 2 chatter unless there is no IP address associated with the vlans on either end.  Given these are switches, there will be plenty of layer 3 stuff flying around.  

I haven't played with Wireshark in ages - I suppose I should fire it up again for old times!
0
 
LVL 44

Expert Comment

by:Darr247
ID: 39890997
Have you tried right-clicking on one of the conversations and choosing Follow TCP Stream ?
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 83 total points
ID: 39891633
If the L3 conversation is between two hosts that are in different IP subnets, the MAC addresses will be that of the router that routes L3 traffic between the two IP subnets.

So say  you address is 10.10.10.22, your mask is 255.255.255.0, and your default gateway is set to 10.10.10.1.  Lets further say you have 4 TCP conversations going on to:

1) 10.10.10.2
2) 10.10.10.50
3) 10.20.20.44
4) 10.20.20.78

The 1st two conversations are to hosts within your IP subnet, so you will their real MAC addresses.

The other two are outside of your subnet so the L3 traffic must be routed via 10.10.10.1.  So for all traffic you see between your computer and those two the IP address with be their IP address, but the MAC will be that of 10.10.10.1.
0
 
LVL 1

Author Comment

by:leblanc
ID: 39892210
"choosing Follow TCP Stream" is my next step. I did it earlier but I only see garbage.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39892247
It probably because what ever stream you are following does not contain text, that is human readable data.

Example: If you follow a ssh or ssl(like https) session the data is encrypted.  If you follow an HTTP session and the server compresses the responses, Wireshark does not decompress the stream when you follow it.
0
 
LVL 44

Assisted Solution

by:Darr247
Darr247 earned 83 total points
ID: 39893357
But doing that groups the entire conversation from both ends into one pane, rather like a View filter.
0
 
LVL 26

Assisted Solution

by:skullnobrains
skullnobrains earned 83 total points
ID: 39893452
this is what you should see when you sniff traffic on a link between 2 switches

(note : you should probably read each paragraph in reverse order starting with level 3

in terms of addresses
level1 : no address : being on the other end of the cable is enough
level 2 : you see the mac address of the first router or the host's if there is no router along the way.
level 3 : you see the ips of the hosts that communicate (assuming the traffic is not PAT/NATed along the way)

in terms of scope :
level1 - physically connected devices
level2 - members of the same LAN
level3 - members of any number of inter-connected LANs

in terms of addressing
level1 - no adressing performed
level2 - shoutcast : i'm a.b.c.d who has w.x.y.z
level3 - if i'm on the same lan as packet_destination, xfer to level2, else lookup in my routing table and select the router who i will send the packet to

so when you sniff traffic
- you'll see as many mac adresses as you have hosts on that lan (most of which will be associated with a single IP)
- for those of the mac adresses that belong to routers you'll see several ips outside the lan
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Developer portfolios can be a bit of an enigma—how do you present yourself to employers without burying them in lines of code?  A modern portfolio is more than just work samples, it’s also a statement of how you work.
An overview on how to enroll an hourly employee into the employee database and how to give them access into the clock in terminal.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question