To get comfortable with Wireshark and how it works, I performed 5 different captures and analyzed the traffic.
Here are my most interesting findings:
- Notable endpoints:
- Edgecast [content delivery network (CDN)]
- Cloudflarenet [web-infrastructure and website-security company]
- Automattic Inc [Wordpress]
- Fastly [cloud computing services provider]
- After applying the filter tcp.port == 80 || udp.port == 80, I had 0 http traffic in my network traffic.
- My iPhone and iPad are constantly talking to my computer and sending each packets back and forth. The words “companion links” came up a few times in the info column. They were communicating on the ARP protocol with almost human-like messages that said “Who has [some address]?” and “[some address] is at [long string].” After some Google searches, I learned that ARP stands for Address Resolution Protocol. When I ping an IP address on my local network and ARP cannot find the cached value, ARP will broadcast a message to the network to see who it is. ARP is needed to convert to translate between an IP address (software) and MAC address [Media Access Control address] (hardware).
- Oddly enough, one of my parent’s phone (a Samsung Galaxy) was appearing in my capture even though I was not trying to make any “explicit ” requests to that device. I was able to decipher the words googlecast in the info column.
- When I applied the filter not (tcp.port == 443 || udp.port == 443), I saw a lot of DNS and MDNS protocols. Specifiably, I noticed communication between my computer and “plume.lan.” According to their website, “Plume’s CEM Platform is the first of its kind—a complete solution of front- and back-end Smart Home Services.” It is a wifi management system to keep you connected to all your devices efficiently. They list Charter Communications on their website as a partner which is a part of Spectrum, my internet provider. That solves the mystery of why I was seeing that so frequently!
- I also noticed packets labeled with “Router Solicitation Message” and “Router Advertisement Message.” These are packets that are usually sent between a computer host and a router to announce available IP addresses for routing.
Some questions I still have after this exercise:
- What is the main difference between a MAC address and IP address?
- What does a malicious packet usually look like?