Ask Your Question
0

Traceroute Capture

asked 2019-02-09 23:27:18 +0000

I am running traceroute from windows cmd prompt. Wireshark is capturing the traffic protocol as Skype and not ICMP. Why?

edit retag flag offensive close merge delete

Comments

I am running traceroute from windows cmd prompt.

traceroute, or tracert? UN*X systems tend to ship with traceroute, which, by default, sends UDP packets; Windows ships with tracert, which sends ICMP echo packets, with no option to send UDP packets.

Guy Harris gravatar imageGuy Harris ( 2019-02-10 03:26:04 +0000 )edit

Have you some kind of host firewall or antivirussoftware enabled?

Christian_R gravatar imageChristian_R ( 2019-02-10 11:59:14 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-02-10 00:51:21 +0000

Bob Jones gravatar image

updated 2019-02-10 16:07:26 +0000

Guy Harris gravatar image

I just ran

C:\Windows\system32>TRACERT.EXE 8.8.8.8

From my older Windows8 box and got this:

image description

So it works for me on my Windows platform. Why doesn't it work for you? Sharing your capture file would be a big help but anyway, some possible causes:

  • You have mis-identified the traffic: i.e. the traffic that you think is coming from tracert is not correct. Maybe the wrong display filter; maybe capturing on the wrong interface; maybe...

  • Your Wireshark decoders are not configured correctly so they show the wrong type

  • You are not using the Windows version of tracert.exe, but a third party tool that can use UDP and/or TCP and the transport layer port is decoded by Wireshark as skype (https://www.netscantools.com/nstpro_t...)

  • You have a different version of Windows than I do and it does not use ICMP, but rather UDP and/or TCP which Wireshark decodes as skype

edit flag offensive delete link more

Comments

I appreciate it. It is from Windows 10. I have also done the capture from Mac. I tried to attach the capture but says I am unable to. I have successfully completed this in the past. I am not sure if this is based on a new baseline for the Wireshark.

Wiresharkquestions gravatar imageWiresharkquestions ( 2019-02-10 01:15:04 +0000 )edit

Both Windows 10 and XP builtin tracert tool looks same as WIndows8.

Bob Jones gravatar imageBob Jones ( 2019-02-10 13:48:09 +0000 )edit

I am not sure if this is based on a new baseline for the Wireshark.

I am not sure if this has anything to do with Wireshark at all. Bob Jones listed several possible causes, and the first one has nothing to do with Wireshark. Without seeing the traffic, we don't know which of them it would be.

Guy Harris gravatar imageGuy Harris ( 2019-02-10 16:06:59 +0000 )edit

here is a turtorial how can share traces with us: https://blog.packet-foo.com/2016/11/t...

Christian_R gravatar imageChristian_R ( 2019-02-10 19:26:52 +0000 )edit

Thank you for the assistance. As I mentioned I am unable to upload the capture. I know that would be helpful.

I know it is not mis-identified since I am able to match the packets to the tracert. The IPs and everything is accurate based on what I am supposed to see.

I am using the correct version of tracert. I have tried this on multiple networks and multiple systems to verify what I am seeing.

I adjusted some network settings to turn off IPv6 and then reenabled. I am now seeing ICMP for both IPv4 and IPv6. On the mac it is still showing skype even after following a similar process.

I will continue to play with settings, and when I am able to will reengage the community when I can upload a file.

Wiresharkquestions gravatar imageWiresharkquestions ( 2019-02-10 19:40:13 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-02-09 23:27:18 +0000

Seen: 248 times

Last updated: Feb 10