Packet Analysis

Packet Sniffing

To get comfortable with Wireshark and how it works, I performed 5 different captures and analyzed the traffic.

Here are my most interesting findings:

  • Notable endpoints:
    1. Amazon
    2. Google
    3. Microsoft
    4. Edgecast [content delivery network (CDN)]
    5. Cloudflarenet [web-infrastructure and website-security company]
    6. Github
    7. Automattic Inc [Wordpress]
    8. Fastly [cloud computing services provider]
  • After applying the filter tcp.port == 80 || udp.port == 80, I had 0 http traffic in my network traffic.
  • My iPhone and iPad are constantly talking to my computer and sending each packets back and forth. The words “companion links” came up a few times in the info column. They were communicating on the ARP protocol with almost human-like messages that said “Who has [some address]?” and “[some address] is at [long string].” After some Google searches, I learned that ARP stands for Address Resolution Protocol. When I ping an IP address on my local network and ARP cannot find the cached value, ARP will broadcast a message to the network to see who it is. ARP is needed to convert to translate between an IP address (software) and MAC address [Media Access Control address] (hardware).
  • Oddly enough, one of my parent’s phone (a Samsung Galaxy) was appearing in my capture even though I was not trying to make any “explicit ” requests to that device. I was able to decipher the words googlecast in the info column.
  • When I applied the filter not (tcp.port == 443 || udp.port == 443), I saw a lot of DNS and MDNS protocols. Specifiably, I noticed communication between my computer and “plume.lan.” According to their website, “Plume’s CEM Platform is the first of its kind—a complete solution of front- and back-end Smart Home Services.” It is a wifi management system to keep you connected to all your devices efficiently. They list Charter Communications on their website as a partner which is a part of Spectrum, my internet provider. That solves the mystery of why I was seeing that so frequently!
  • I also noticed packets labeled with “Router Solicitation Message” and “Router Advertisement Message.” These are packets that are usually sent between a computer host and a router to announce available IP addresses for routing.

Some questions I still have after this exercise:

  • What is the main difference between a MAC address and IP address?
  • What does a malicious packet usually look like?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s