Wireshark conversation statistics

leblanc used Ask the Experts™
Can the experts help me out in understanding the statistics for the conversation for Ethernet in Wireshark. I have a Cisco_2d:fa:22 as Address A and Cisco_4d:f3:11 as Address B. So it looks like it is the ID for the Cisco device. I see their MAC addresses in the Ethernet section in Wireshark. But in the IP section, the source and destination IP addresses keep changing from one packet to another.
I'm not sure I understand that. Thanks
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2005
If they are switches, then that is to be expected if there are workstations attached.  Each workstation is trying to communicate to something and that is what you are seeing.  It's not just the communication between the switches themselves (which would not be much at all).

I'm assuming the last 3 octets in the names are the last octets in their respective MAC addresses (the switches themselves).


I am not sure I understand. So how do I find out the IP addresses of those IP addresses?
Top Expert 2005
Each switch likely has a management vlan/IP address associated with it.

Unless you know the IP address of the switch it will be tough to figure it out looking at the captures.  There is so much traffic going through them you'll get lost looking.

If you have access to the switch, you may find a sticker on each with the MAC address listed.  From your workstation, if you ping the subnet broadcast then run an arp -a command, you can look for that MAC in the table and associate it to an IP.

What are you attempting to do, exactly?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!



I am just trying to understand the Ethernet conversation statistics. When I look at the IPv4 conversation, I can see that there is a conversation between two layer-3 end-points. So I thought that for the Ethernet conversation, you also have a conversation between 2 end points at layer 2. But what confuses me is I have the MAC address of the 2 end-points. But layer 3 keep changing.
Sorry, I am fairly new to Wireshark.
Top Expert 2005
Nothing to be sorry about, it's how we learn!!

Yes, layer 3 will keep changing because each packet could be destined to anywhere other than the actual switch.  If there's lots of traffic, then you're going to see plenty of different IP addresses as things attached to the switch communicate.

Layer 2 will be pretty static, yes - because the ends of each link between switches have hard-coded MAC address that do not change.  However, there likely isn't a huge amount of layer 2 chatter unless there is no IP address associated with the vlans on either end.  Given these are switches, there will be plenty of layer 3 stuff flying around.  

I haven't played with Wireshark in ages - I suppose I should fire it up again for old times!
Have you tried right-clicking on one of the conversations and choosing Follow TCP Stream ?
Top Expert 2014
If the L3 conversation is between two hosts that are in different IP subnets, the MAC addresses will be that of the router that routes L3 traffic between the two IP subnets.

So say  you address is, your mask is, and your default gateway is set to  Lets further say you have 4 TCP conversations going on to:


The 1st two conversations are to hosts within your IP subnet, so you will their real MAC addresses.

The other two are outside of your subnet so the L3 traffic must be routed via  So for all traffic you see between your computer and those two the IP address with be their IP address, but the MAC will be that of


"choosing Follow TCP Stream" is my next step. I did it earlier but I only see garbage.
Top Expert 2014

It probably because what ever stream you are following does not contain text, that is human readable data.

Example: If you follow a ssh or ssl(like https) session the data is encrypted.  If you follow an HTTP session and the server compresses the responses, Wireshark does not decompress the stream when you follow it.
But doing that groups the entire conversation from both ends into one pane, rather like a View filter.
this is what you should see when you sniff traffic on a link between 2 switches

(note : you should probably read each paragraph in reverse order starting with level 3

in terms of addresses
level1 : no address : being on the other end of the cable is enough
level 2 : you see the mac address of the first router or the host's if there is no router along the way.
level 3 : you see the ips of the hosts that communicate (assuming the traffic is not PAT/NATed along the way)

in terms of scope :
level1 - physically connected devices
level2 - members of the same LAN
level3 - members of any number of inter-connected LANs

in terms of addressing
level1 - no adressing performed
level2 - shoutcast : i'm a.b.c.d who has w.x.y.z
level3 - if i'm on the same lan as packet_destination, xfer to level2, else lookup in my routing table and select the router who i will send the packet to

so when you sniff traffic
- you'll see as many mac adresses as you have hosts on that lan (most of which will be associated with a single IP)
- for those of the mac adresses that belong to routers you'll see several ips outside the lan

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial