Ping Traces and Wireshark captures

asked Jun 10 '1

davidakz
1 ●1 ●2 ●1

updated Jun 10 '1

grahamb

flag of United Kingdom of Great Britain and Northern Ireland

23850 ●4 ●988 ●227 https://www.wireshark.org

When I ping two IP addresses on the local network, I get the following as expected.

~ % ping 10.10.100.254
64 bytes from 10.10.100.254: icmp_seq=0 ttl=255 time=6.693 ms
64 bytes from 10.10.100.254: icmp_seq=1 ttl=255 time=1.628 ms

 ~ % ping 10.10.100.1
64 bytes from 10.10.100.1: icmp_seq=0 ttl=64 time=0.067 ms
64 bytes from 10.10.100.1: icmp_seq=1 ttl=64 time=0.066 ms

However, using Wireshark to look at the content of packets between the two destinations, I got the following:

Source         Destination    Protocol  Length  Info
10.10.100.254  10.10.100.1    ICMP      70      Destination Unreachable(port unreachable)
10.10.100.1    10.10.100.254  UDP       46      55180 -> 192   Len = 4

Why is there a difference between the two and what steps do I need to take to read the contnets of any packets between the two. hanks for any help

add a comment

2 Answers

Sort by » oldest newest most voted

answered Jun 10 '1

Jaap

13782 ●715 ●115

These two observations are only partly related.

One; The use of ping shows you that basic IP networking between the nodes is possible. When sending out ICMP echo packets you get a reply, so that's good.

Two; Then you send out a UDP packet. This packet is used to transport a datagram over IP to the destination node at a specific UDP port. This succeeds iff there's a proces at the destination node which has opened that UDP port. Otherwise the network stack at the destination node wants to inform you that the destination is unreachable, because the (UDP) port is unreachable (or rather, it's closed). That is what that ICMP packet is for.

Note: I think you'll see the proper ordering is UDP packet first, and in response you'll see the ICMP packet

As for the question on what you should do to read the contents of the packets, you're already doing that. You're capturing these packets and they're dissected right there. To see all the details open up the details in the packet details pane, or, if using TShark, add the -V flag to get verbose output.

link

Comments

Thanks for your timely, interesting and most useful response.

Via Wiresharks Statistics/Conversations, it is clear to me that the port through which the data needs to pass is closed on *.254, namely Port 8899. I would post the screen dump of the conversation, but I don't have the (60 ) points to do this.

"To see all the details open up the details in the packet details pane, or, if using TShark, add the -V flag to get verbose output"

What is TShark please ? Is it a Command Line version ?I am using The GUI version for Mac v 3.4.6 and struggling to find the verbose output.

Thanks again for your response.

davidakz ( Jun 10 '1 )

TShark is part of the Wireshark suite of tools and is the command line version and should be installed in the same location as the GUI executable.

grahamb ( Jun 10 '1 )

What is TShark please ? Is it a Command Line version ?

Yes.

I am using The GUI version for Mac v 3.4.6 and struggling to find the verbose output.

Try looking below the list of packets. :-)

Wireshark, by default, should show you three panes within the window:

the packet summary pane, at the top, showing one line per packet;
the packet details pane, below that, showing, if exactly one packet is selected, a detailed dissection of the packet;
the hex dump pane, below that, showing, if exactly one packet is selected, the raw data of the packet, in hex and ASCII, and possibly hex and ASCII data from higher-level reassembled packets.

You may have to "open up" items in the packet detail pane, by clicking on the ">" items on the left, or open up all the items by selecting View > Expand All from the menu bar.

Guy Harris ( Jun 10 '1 )

add a comment

answered Jun 10 '1

BigFatCat
31 ●3 ●90 ●5

The contents posted are not your pings. 10.10.100.254----10.10.100.1-------------ICMP----------------70-----------------Destination Unreachable(port unreachable), you have to look at the packet detail for more information. It could be the because of the subsequent packet 10.10.100.1 trying to reach 10.10.100.254:192.

10.10.100.1-------10.10.100.254----------UDP-----------------46-----------------55180 -> 192 Len = 4 is trying to send a packet to 10.10.100.254:192

To see only all traffic between the two addresses start building a complex display filter using ip.addr==xx.xx.xx.xx. The complex display filter will narrow the display packets to only the traffic you are interested in.

link

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Ping Traces and Wireshark captures

2 Answers

Comments

Your Answer

Question Tools

Stats

Related questions

Ping Traces and Wireshark captures savecancel

2 Answers

Comments

Your Answer

Question Tools

Stats

Related questions

Ping Traces and Wireshark captures