Ask Your Question
0

Ping Traces and Wireshark captures

asked 2021-06-10 05:24:22 +0000

davidakz gravatar image

updated 2021-06-10 07:31:05 +0000

grahamb gravatar image

When I ping two IP addresses on the local network, I get the following as expected.

~ % ping 10.10.100.254
64 bytes from 10.10.100.254: icmp_seq=0 ttl=255 time=6.693 ms
64 bytes from 10.10.100.254: icmp_seq=1 ttl=255 time=1.628 ms

 ~ % ping 10.10.100.1
64 bytes from 10.10.100.1: icmp_seq=0 ttl=64 time=0.067 ms
64 bytes from 10.10.100.1: icmp_seq=1 ttl=64 time=0.066 ms

However, using Wireshark to look at the content of packets between the two destinations, I got the following:

Source         Destination    Protocol  Length  Info
10.10.100.254  10.10.100.1    ICMP      70      Destination Unreachable(port unreachable)
10.10.100.1    10.10.100.254  UDP       46      55180 -> 192   Len = 4

Why is there a difference between the two and what steps do I need to take to read the contnets of any packets between the two. hanks for any help

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
0

answered 2021-06-10 06:02:15 +0000

Jaap gravatar image

These two observations are only partly related.

One; The use of ping shows you that basic IP networking between the nodes is possible. When sending out ICMP echo packets you get a reply, so that's good.

Two; Then you send out a UDP packet. This packet is used to transport a datagram over IP to the destination node at a specific UDP port. This succeeds iff there's a proces at the destination node which has opened that UDP port. Otherwise the network stack at the destination node wants to inform you that the destination is unreachable, because the (UDP) port is unreachable (or rather, it's closed). That is what that ICMP packet is for.

Note: I think you'll see the proper ordering is UDP packet first, and in response you'll see the ICMP packet

As for the question on what you should do to read the contents of the packets, you're already doing that. You're capturing these packets and they're dissected right there. To see all the details open up the details in the packet details pane, or, if using TShark, add the -V flag to get verbose output.

edit flag offensive delete link more

Comments

Thanks for your timely, interesting and most useful response.

Via Wiresharks Statistics/Conversations, it is clear to me that the port through which the data needs to pass is closed on *.254, namely Port 8899. I would post the screen dump of the conversation, but I don't have the (60 ) points to do this.

"To see all the details open up the details in the packet details pane, or, if using TShark, add the -V flag to get verbose output"

What is TShark please ? Is it a Command Line version ?I am using The GUI version for Mac v 3.4.6 and struggling to find the verbose output.

Thanks again for your response.

davidakz gravatar imagedavidakz ( 2021-06-10 07:40:24 +0000 )edit

TShark is part of the Wireshark suite of tools and is the command line version and should be installed in the same location as the GUI executable.

grahamb gravatar imagegrahamb ( 2021-06-10 07:58:00 +0000 )edit

What is TShark please ? Is it a Command Line version ?

Yes.

I am using The GUI version for Mac v 3.4.6 and struggling to find the verbose output.

Try looking below the list of packets. :-)

Wireshark, by default, should show you three panes within the window:

  • the packet summary pane, at the top, showing one line per packet;
  • the packet details pane, below that, showing, if exactly one packet is selected, a detailed dissection of the packet;
  • the hex dump pane, below that, showing, if exactly one packet is selected, the raw data of the packet, in hex and ASCII, and possibly hex and ASCII data from higher-level reassembled packets.

You may have to "open up" items in the packet detail pane, by clicking on the ">" items on the left, or open up all the items by selecting View > Expand All from the menu bar.

Guy Harris gravatar imageGuy Harris ( 2021-06-10 07:58:54 +0000 )edit
0

answered 2021-06-10 07:33:46 +0000

BigFatCat gravatar image

The contents posted are not your pings. 10.10.100.254----10.10.100.1-------------ICMP----------------70-----------------Destination Unreachable(port unreachable), you have to look at the packet detail for more information. It could be the because of the subsequent packet 10.10.100.1 trying to reach 10.10.100.254:192.

10.10.100.1-------10.10.100.254----------UDP-----------------46-----------------55180 -> 192 Len = 4 is trying to send a packet to 10.10.100.254:192

To see only all traffic between the two addresses start building a complex display filter using ip.addr==xx.xx.xx.xx. The complex display filter will narrow the display packets to only the traffic you are interested in.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2021-06-10 05:24:22 +0000

Seen: 131 times

Last updated: Jun 10