Wireshark-users: [Wireshark-users] newbie MAC->IP question

Wireshark-users: Re: [Wireshark-users] newbie MAC->IP question

Date Index Thread Index Other Months All Mailing Lists

Date Prev Date Next Thread Prev Thread Next

From: "Thierry Emmanuel" <Emmanuel.Thierry@xxxxxxxxxxxxxxx>
Date: Mon, 21 Jun 2010 09:58:28 +0200

To achieve the explanation of János Löbb and Guy Harris (I don't know if it was clear) :
Pure switches don't have (and don't need) IP addresses. A basic switch is a network equipment designed to work only with Ethernet (Layer 2) traffic and theorically ignore IP traffic (Layer 3).

We can sum up an IP connection as this (use a monospace police):
#   End user       #       # Switch  #     # Router #       # End user#
|Application (L4+) | <====================================> | App. |
|IP traffic  (L3)  | <====================> (relay ) <====> | IP   |
|Ethernet    (L2)  | <====> (relay ) <====> | Eth. | <====> | Eth. |
|Physical    (L1)  | <====> | Phy. | <====> | Phy. | <====> | Phy. |

Switch doesn't see IP traffic and doesn't show its Ethernet address and doesn't need to show its existence at L2 level. Router doesn't show its IP address and doesn't need to show its existence at L3 level.

I hope this explanation will help you to understand the structure of a network.

Best Regards


-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Guy Harris
Sent: samedi 19 juin 2010 21:47
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] newbie MAC->IP question


On Jun 18, 2010, at 7:22 AM, János Löbb wrote:

> Looking the Ethernet traffic I see the routers and switches with their ethernet/MAC address.  However they do not show up in the IP traffic.  When I look the Ethernet frame, I again see the MAC address, but I do not see its IP address.

I.e., a packet from or to a router or switch has the source IP address of the machine that ultimately sent it, not the IP address of the router?  (That is, of course, as it should be.)

> Can Wireshark - or any other program on a Mac - translate a MAC address into an IP ?

There isn't necessarily a permanent mapping between a MAC address and an IP address; a machine might, for example, be using DHCP, and, if it renews a DHCP lease, it might get a different IP address from the one it had before.

That's not likely to happen for a router - but the only way to find out a router's IP address, given its MAC address, would be to either

 1) ask the network administrator what IP address is assigned to the router with an interface with a given MAC address;

 2) send out a Reverse ARP packet, asking what the IP address is for the given MAC address, and hope somebody responds;

 3) hope that some file on your machine has that mapping, or that some network service offers that mapping.

> I looked at man arp, but I do not see it there either and arp -a do not show the router.

"arp -a" will show the IP-to-MAC-address mappings your machine has; if your machine isn't routing traffic through that router, or otherwise communicating with that router, it won't need, and thus probably won't have, an ARP entry for that router.  (If your machine isn't plugged into a network into which that router is also plugged, it almost certainly won't have it.)

> P.S.  How can I capture only routers and Switch traffic and ignore all the workstations and vice versa  ?

You'd have to construct a capture filter that looks for the MAC addresses of the machines whose traffic you want to capture, and doesn't mention the MAC addresses of the machines whose traffic you don't want to capture.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list 
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

Determining unique MAC and IP addresses in a PCAP

Count unique IP addresses:
tshark -r filename.cap  -T fields -e ip.dst ip.src | sort | uniq

Count unique Ethernet addresses:
tshark -r filename.cap -T fields -e eth.dst eth.src | sort | uniq

Note that e.g. ip.addr, which seems natural, actually lists out IP conversation endpoints.
(with many thanks, and a shout-out to Sake Blok)
==========================================================================
As hangsanb alluded to, you can use Wireshark's Statistics -> Endpoints, then choose the Ethernet tab for a list of unique MAC addresses, and choose the IPv4 (or IPv6) tab for the list of unique IP addresses. You probably want to disable name resolution to see the actual values instead of the resolved OUI's or domain names. The nice thing about Statistics -> Endpoints is that it comes equipped with a "Copy" button so you can easily copy all the relevant information about those endpoints to a text/csv file for further analysis/reporting.

Wireshark some statistics examples:

Wireshark provides a lot of different statistics which can be consulted if you click on the "statistics" field on the top of the screen.

We will present below, some statistics examples:

---

Summary Protocol Hierarchy Conversations Endpoints IO Graphs Conversation List Endpoint List Service Response Time
RTP SIP VoIP Calls Destinations Flow Graph HTTP IP address Packet Length Port Type

---

Summary

Basic global statistics are available in the summary window such as:
- Capture file properties
- Capture time
- Capture filter information.
- Display filter information.



Top of the page

---

Protocol Hierarchy

The protocol hierarchy shows a dissection per OSI layer of the displayed data.



Top of the page

---

Conversations

If you use TCP/IP suite application or protocol, you should find four active tabs for Ethernet, IP, TCP and UDP conversations. A "conversation" represents the traffic between two hosts.
The number in the tab after the protocol indicates the number of conversations. For instance: "Ethernet:6".

Ethernet conversations:



IP conversations:



TCP conversations:



UDP conversations:



Top of the page

---

Endpoints

The endpoints provide statistics about received and transmitted data on a per machine base.
The number after the protocol indicates the number of endpoints. For instance: "Ethernet:6".

Ethernet endpoints:



IP endpoints:



TCP endpoints:



UDP endpoints:



Top of the page

---

IO Graphs

Basic graphics can be obtained under the "IO graphs" section.
Multiple graphics can be added in the same window on a per display filter base.
In our example below, we chose to draw two graphs depending on a "tcp" and "http" display filter.



Top of the page

---

Conversation List

The "Conversation List" section provides the same information as the one given by the "Conversations" section.

Top of the page

---

Endpoint List

The "Endpoint list" section provides the same information as the one given by the "Endpoints" section.

Top of the page

---

Service Response Time

13 protocols are available for an in-depth inspection.
In our example we chose SMB (Server Message Block) which runs on top of the NetBIOS protocol (see Protocol Hierarchy screenshot) and is typically used when files are shared on a Local Microsoft Windows environment.



The Wireshark display filter is shown in the smb filter field.
In our example, we have no display filter.





Top of the page

---

RTP

RTP (Real-time Transport Protocol, RFC 3550) is a protocol for carrying voice and video communications over an IP network. It runs on the top of the User Datagram Protocol. (UDP)
It is frequently used in conjunction with SIP or H.323 which provide the signaling tasks.

Show all streams





Stream analysis







Top of the page

---

SIP

SIP (Session Initiation Protocol, RFC 3261) is a signaling protocol for establishing VoIP or video sessions.
It works typically with the RTP protocol which is used to transmit multimedia data.





Top of the page

---

VoIP Calls

VoIP (Voice over IP) generally uses two types of protocols:
- signaling protocols such as SIP or H.323
- carrying protocols such as RTP





Top of the page

---

Destinations

The "Destinations" section shows all the destination IP addresses of the network packets.





Top of the page

---

Flow Graph

The "Flow Graph" section provides a sequential analysis of TCP connections.
In our example, we created a displayed filter to target only traffic to the openmaniak.com website.



The three first lines show a TCP connection establishment with the "SYN", "SYN ACK" and "ACK" sequences.




Top of the page

---

HTTP

HTTP (Hypertext Transfer Protocol) is a client-server communication protocol used to transfer HTML files.
An HTTP client, most of the time a web browser, sends an HTTP request to a web server with the well-known "URL" field to locate the file. The web server will answer with an HTTP response and provides to the client the desired web page.

Three sub-sections are available under "HTTP":
- Load Distribution
- Packet Counter
- Requests

Load distribution:



In our example, we created a displayed filter to target only trafic to the openmaniak.com website.





Packet Counter:

Display the HTTP requests and responses.



In our example, we created a displayed filter to target only traffic to the openmaniak.com website.





Requests:

Display the files consulted on the web server.



In our example, we created a displayed filter to target only traffic to the openmaniak.com website.





Top of the page

---

IP address

Display the source or destination IP address of the network packets.





Top of the page

---

Packet Length





Top of the page

---

Port Type

Display TCP or UDP ports statistics.