top of page
  • Writer's pictureAtchareeya Jattuporn

Package Sniffing

This week I was trying to do package sniffing with 2 recommended software from Tom. I ran 2 software at the same time for around 5 minutes. Here are the results.

Wireshark with website open

Protocol Amount Info

ARP 35 Who has Tell (my IPAdress)

my IPAdress is at (Mac Adress)

My guess is this one is trying to check my Mac address to connect with my computer with the router?

DB-LSP-DISC 32 Dropbox LAN sync Discovery protocol DHCP 2 DCHP Request / ACK

DNS 202 Standard query (consist of query and response )


ICMP 1 Destination unreachable

ICMPv6 8 Multicast Listener

ICMPv3 8 Membership query / report

NBNS 2 Name Query NB Workgroup

OCSP 1 Response


SSLv2 2171 Encrypted Data [TCP reassembled PDU]

TCP 101573

TLSv1.2 1814

TLSv1.3 8630 Application Data

UDP 5828 443 > 61886 (switching between the two)

WireShark with nothing open

Protocol Amount Info

ARP 12 APR Annocement for (IP Adress which is not mine)

DB-LSP-DISC 4 Dropbox LAN sync Discovery protocol DHCP 2 DCHP Request / ACK

DNS 16 Standard query (consist of query and response ) (Most of the source is from Google and Apple)

ICMPv6 6 Multicast Listener (One Neighbor Advertisement >> src : Apple)

ICMPv3 7 Membership query / report

MDNS 159 Standard query (some with my Macbook and some with my roommate's iPad ?)

NBNS 3 Name Query NB Workgroup

SSDP 11 Notify * HTTP/1.1 (with Google)

TCP 226

TLSv1.2 60 Encryted Alert

UDP 23 49154 > 6667 (switching between the two)(Espressi) / 10101 > 10101 (Google : 4 out of 23)

Most of the sources I saw in this package sniffing are Apple (some is my MacBook and other devices in my house), Google, Espressi(I don't know what it is), and some unknown Mac address.


- Most of the connection happened via port 443. Only a few are sending and receiving from port 80.

- When I opened up the website, it showed where the package is sending. For example, when I open, there are 4 more packages sending to some website with the word "Wix" show in their name. I guess it might be some operation server of their site or they might pull the data from different sites.

- There are a lot of packages sending and receiving from Apple-related websites.

- It didn't detect any package when there's no website opening.

Comparing between Wireshark and Herbivore

- Wireshark showed a lot more than Herbivore which mostly illustrated the package sending across the browser.

- I do not really understand the coloring rule in Wireshark. I tried to click on packages with different colors. It was showing different warnings such as red: connection reset, TCP keep-alive segment which I don't understand.

- Herbivore didn't show the protocol but the interface is more user friendly to me. We also can pick which device to explore at the beginning.


Recent Posts

See All


bottom of page