Search This Blog

Wednesday, February 01, 2012

Wireshark-users: [Wireshark-users] newbie MAC->IP question

Wireshark-users: Re: [Wireshark-users] newbie MAC->IP question



From: "Thierry Emmanuel" <Emmanuel.Thierry@xxxxxxxxxxxxxxx>
Date: Mon, 21 Jun 2010 09:58:28 +0200

To achieve the explanation of János Löbb and Guy Harris (I don't know if it was clear) :
Pure switches don't have (and don't need) IP addresses. A basic switch is a network equipment designed to work only with Ethernet (Layer 2) traffic and theorically ignore IP traffic (Layer 3).

We can sum up an IP connection as this (use a monospace police):
#   End user       #       # Switch  #     # Router #       # End user#
|Application (L4+) | <====================================> | App. |
|IP traffic  (L3)  | <====================> (relay ) <====> | IP   |
|Ethernet    (L2)  | <====> (relay ) <====> | Eth. | <====> | Eth. |
|Physical    (L1)  | <====> | Phy. | <====> | Phy. | <====> | Phy. |

Switch doesn't see IP traffic and doesn't show its Ethernet address and doesn't need to show its existence at L2 level. Router doesn't show its IP address and doesn't need to show its existence at L3 level.

I hope this explanation will help you to understand the structure of a network.

Best Regards


-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Guy Harris
Sent: samedi 19 juin 2010 21:47
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] newbie MAC->IP question


On Jun 18, 2010, at 7:22 AM, János Löbb wrote:

> Looking the Ethernet traffic I see the routers and switches with their ethernet/MAC address.  However they do not show up in the IP traffic.  When I look the Ethernet frame, I again see the MAC address, but I do not see its IP address.

I.e., a packet from or to a router or switch has the source IP address of the machine that ultimately sent it, not the IP address of the router?  (That is, of course, as it should be.)

> Can Wireshark - or any other program on a Mac - translate a MAC address into an IP ?

There isn't necessarily a permanent mapping between a MAC address and an IP address; a machine might, for example, be using DHCP, and, if it renews a DHCP lease, it might get a different IP address from the one it had before.

That's not likely to happen for a router - but the only way to find out a router's IP address, given its MAC address, would be to either

 1) ask the network administrator what IP address is assigned to the router with an interface with a given MAC address;

 2) send out a Reverse ARP packet, asking what the IP address is for the given MAC address, and hope somebody responds;

 3) hope that some file on your machine has that mapping, or that some network service offers that mapping.

> I looked at man arp, but I do not see it there either and arp -a do not show the router.

"arp -a" will show the IP-to-MAC-address mappings your machine has; if your machine isn't routing traffic through that router, or otherwise communicating with that router, it won't need, and thus probably won't have, an ARP entry for that router.  (If your machine isn't plugged into a network into which that router is also plugged, it almost certainly won't have it.)

> P.S.  How can I capture only routers and Switch traffic and ignore all the workstations and vice versa  ?

You'd have to construct a capture filter that looks for the MAC addresses of the machines whose traffic you want to capture, and doesn't mention the MAC addresses of the machines whose traffic you don't want to capture.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list 
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

Determining unique MAC and IP addresses in a PCAP

Count unique IP addresses:
tshark -r filename.cap  -T fields -e ip.dst ip.src | sort | uniq

Count unique Ethernet addresses:
tshark -r filename.cap -T fields -e eth.dst eth.src | sort | uniq

Note that e.g. ip.addr, which seems natural, actually lists out IP conversation endpoints.
(with many thanks, and a shout-out to Sake Blok)
==========================================================================
As hangsanb alluded to, you can use Wireshark's Statistics -> Endpoints, then choose the Ethernet tab for a list of unique MAC addresses, and choose the IPv4 (or IPv6) tab for the list of unique IP addresses. You probably want to disable name resolution to see the actual values instead of the resolved OUI's or domain names. The nice thing about Statistics -> Endpoints is that it comes equipped with a "Copy" button so you can easily copy all the relevant information about those endpoints to a text/csv file for further analysis/reporting.

Wireshark some statistics examples:

Wireshark provides a lot of different statistics which can be consulted if you click on the "statistics" field on the top of the screen.

We will present below, some statistics examples:







Summary

Protocol Hierarchy

Conversations

Endpoints

IO Graphs


Conversation List

Endpoint List

Service Response Time






 
wireshark statistics


RTP

SIP
VoIP Calls



Destinations
Flow Graph
HTTP
IP address



Packet Length
Port Type
 



Summary

Basic global statistics are available in the summary window such as:
- Capture file properties
- Capture time
- Capture filter information.
- Display filter information.

wireshark statistics summary

Top of the page


Protocol Hierarchy

The protocol hierarchy shows a dissection per OSI layer of the displayed data.

wireshark statistics protocol hierarchy

Top of the page


Conversations

If you use TCP/IP suite application or protocol, you should find four active tabs for Ethernet, IP, TCP and UDP conversations. A "conversation" represents the traffic between two hosts.
The number in the tab after the protocol indicates the number of conversations. For instance: "Ethernet:6".

Ethernet conversations:

wireshark statistics conversations ethernet

IP conversations:

wireshark statistics conversations ip

TCP conversations:

wireshark statistics conversations tcp

UDP conversations:

wireshark statistics conversations udp

Top of the page




Endpoints

The endpoints provide statistics about received and transmitted data on a per machine base.
The number after the protocol indicates the number of endpoints. For instance: "Ethernet:6".

Ethernet endpoints:

wireshark statistics endpoints ethernet

IP endpoints:

wireshark statistics endpoints ip

TCP endpoints:

wireshark statistics endpoints tcp

UDP endpoints:

wireshark statistics endpoints udp

Top of the page


IO Graphs

Basic graphics can be obtained under the "IO graphs" section.
Multiple graphics can be added in the same window on a per display filter base.
In our example below, we chose to draw two graphs depending on a "tcp" and "http" display filter.

wireshark io graphs

Top of the page


Conversation List

The "Conversation List" section provides the same information as the one given by the "Conversations" section.

Top of the page


Endpoint List

The "Endpoint list" section provides the same information as the one given by the "Endpoints" section.

Top of the page


Service Response Time

13 protocols are available for an in-depth inspection.
In our example we chose SMB (Server Message Block) which runs on top of the NetBIOS protocol (see Protocol Hierarchy screenshot) and is typically used when files are shared on a Local Microsoft Windows environment.

wireshark service response time

The Wireshark display filter is shown in the smb filter field.
In our example, we have no display filter.

wireshark service response time

wireshark service response time

Top of the page





RTP

RTP (Real-time Transport Protocol, RFC 3550) is a protocol for carrying voice and video communications over an IP network. It runs on the top of the User Datagram Protocol. (UDP)
It is frequently used in conjunction with SIP or H.323 which provide the signaling tasks.

Show all streams

wireshark RTP all streams

wireshark RTP all streams

Stream analysis

wireshark RTP stream analysis

wireshark RTP analysis stream



Top of the page


SIP

SIP (Session Initiation Protocol, RFC 3261) is a signaling protocol for establishing VoIP or video sessions.
It works typically with the RTP protocol which is used to transmit multimedia data.

wireshark SIP



Top of the page


VoIP Calls

VoIP (Voice over IP) generally uses two types of protocols:
- signaling protocols such as SIP or H.323
- carrying protocols such as RTP

wireshark RTP stream analysis

wireshark voip calls

Top of the page


Destinations

The "Destinations" section shows all the destination IP addresses of the network packets.

wireshark filter

wireshark destinations

Top of the page


Flow Graph

The "Flow Graph" section provides a sequential analysis of TCP connections.
In our example, we created a displayed filter to target only traffic to the openmaniak.com website.

wireshark flow graph

The three first lines show a TCP connection establishment with the "SYN", "SYN ACK" and "ACK" sequences.

wireshark flow graph filter


Top of the page





HTTP

HTTP (Hypertext Transfer Protocol) is a client-server communication protocol used to transfer HTML files.
An HTTP client, most of the time a web browser, sends an HTTP request to a web server with the well-known "URL" field to locate the file. The web server will answer with an HTTP response and provides to the client the desired web page.

Three sub-sections are available under "HTTP":
- Load Distribution
- Packet Counter
- Requests

Load distribution:

wireshark http

In our example, we created a displayed filter to target only trafic to the openmaniak.com website.

wireshark http filter

wireshark load distribution

Packet Counter:

Display the HTTP requests and responses.

wireshark http packet counter

In our example, we created a displayed filter to target only traffic to the openmaniak.com website.

wireshark http filter

wireshark http packet counter

Requests:

Display the files consulted on the web server.

wireshark http requests

In our example, we created a displayed filter to target only traffic to the openmaniak.com website.

wireshark http filter

wireshark http requests

Top of the page


IP address

Display the source or destination IP address of the network packets.

wireshark filter

wireshark ip address

Top of the page



Port Type

Display TCP or UDP ports statistics.

wireshark filter

wireshark port type