This week I was trying to do package sniffing with 2 recommended software from Tom. I ran 2 software at the same time for around 5 minutes. Here are the results.
Wireshark with website open
Protocol Amount Info
ARP 35 Who has 192.168.0.245? Tell 192.168.0.1 (my IPAdress)
my IPAdress is at (Mac Adress)
My guess is this one is trying to check my Mac address to connect with my computer with the router?
DB-LSP-DISC 32 Dropbox LAN sync Discovery protocol DHCP 2 DCHP Request / ACK
DNS 202 Standard query (consist of query and response )
HTTP 1 GET
ICMP 1 Destination unreachable
ICMPv6 8 Multicast Listener
ICMPv3 8 Membership query / report
NBNS 2 Name Query NB Workgroup
OCSP 1 Response
SSDP 16 M-SEARCH * HTTP/1.1
SSLv2 2171 Encrypted Data [TCP reassembled PDU]
TLSv1.3 8630 Application Data
UDP 5828 443 > 61886 (switching between the two)
WireShark with nothing open
Protocol Amount Info
ARP 12 APR Annocement for (IP Adress which is not mine)
DB-LSP-DISC 4 Dropbox LAN sync Discovery protocol DHCP 2 DCHP Request / ACK
DNS 16 Standard query (consist of query and response ) (Most of the source is from Google and Apple)
ICMPv6 6 Multicast Listener (One Neighbor Advertisement >> src : Apple)
ICMPv3 7 Membership query / report
MDNS 159 Standard query (some with my Macbook and some with my roommate's iPad ?)
NBNS 3 Name Query NB Workgroup
SSDP 11 Notify * HTTP/1.1 (with Google)
TLSv1.2 60 Encryted Alert
UDP 23 49154 > 6667 (switching between the two)(Espressi) / 10101 > 10101 (Google : 4 out of 23)
Most of the sources I saw in this package sniffing are Apple (some is my MacBook and other devices in my house), Google, Espressi(I don't know what it is), and some unknown Mac address.
- Most of the connection happened via port 443. Only a few are sending and receiving from port 80.
- When I opened up the website, it showed where the package is sending. For example, when I open wix.com, there are 4 more packages sending to some website with the word "Wix" show in their name. I guess it might be some operation server of their site or they might pull the data from different sites.
- There are a lot of packages sending and receiving from Apple-related websites.
- It didn't detect any package when there's no website opening.
Comparing between Wireshark and Herbivore
- Wireshark showed a lot more than Herbivore which mostly illustrated the package sending across the browser.
- I do not really understand the coloring rule in Wireshark. I tried to click on packages with different colors. It was showing different warnings such as red: connection reset, TCP keep-alive segment which I don't understand.
- Herbivore didn't show the protocol but the interface is more user friendly to me. We also can pick which device to explore at the beginning.