Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-users: Re: [Wireshark-users] newbie MAC->IP question

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Martin Visser <martinvisser99@xxxxxxxxx>
Date: Sun, 20 Jun 2010 00:50:31 +1000
Janos,

It sounds like you might need to spend some time thinking about what networking is meant to achieve. It is simply facilitate the connection between hosts. Routers and switches should be "out of the way" as much as possible.

Certainly modern switches are really just what we used to call transparent bridges. The only time you should "see" them is things like management protocols (like spanning tree protocol) or knowing that they filter traffic to just the ports it needs to go (unicast traffic in general moves between the interfaces the source and destination are on).

Routers also show themselves through management protocols (such as OSPF or VRRP and the like ( and you might occasionally see ICMP packets to inform hosts to change their behaviour). However they do reveal themselves quite clearly as their physical interface address (MAC) becomes the source and destination of traffic passing through it. The network layer (IP) won't change from the original source and destination host (unless the router is NATting).

I suggest reading up some basic IP networking tutorials and you will understand why the network exhibits the behaviour you see.

Regards, Martin

MartinVisser99@xxxxxxxxx


On Sat, Jun 19, 2010 at 12:22 AM, János Löbb <janos.lobb@xxxxxxxx> wrote:
Hi,

Looking the Ethernet traffic I see the routers and switches with their ethernet/MAC address.  However they do not show up in the IP traffic.  When I look the Ethernet frame, I again see the MAC address, but I do not see its IP address.Can Wireshark - or any other program on a Mac - translate a MAC address into an IP ?

I looked at man arp, but I do not see it there either and arp -a do not show the router.

The switches MAC address are in this form:  Cisco_ab:cd:ef  and the routers name are like All-HSRP-routers_6a.

Thanks ahead,

János
P.S.  How can I capture only routers and Switch traffic and ignore all the workstations and vice versa  ?
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube