Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] newbie MAC->IP question

From: "Thierry Emmanuel" <Emmanuel.Thierry@xxxxxxxxxxxxxxx>
Date: Mon, 21 Jun 2010 09:58:28 +0200
To achieve the explanation of János Löbb and Guy Harris (I don't know if it was clear) :
Pure switches don't have (and don't need) IP addresses. A basic switch is a network equipment designed to work only with Ethernet (Layer 2) traffic and theorically ignore IP traffic (Layer 3).

We can sum up an IP connection as this (use a monospace police):
#   End user       #       # Switch  #     # Router #       # End user#
|Application (L4+) | <====================================> | App. |
|IP traffic  (L3)  | <====================> (relay ) <====> | IP   |
|Ethernet    (L2)  | <====> (relay ) <====> | Eth. | <====> | Eth. |
|Physical    (L1)  | <====> | Phy. | <====> | Phy. | <====> | Phy. |

Switch doesn't see IP traffic and doesn't show its Ethernet address and doesn't need to show its existence at L2 level. Router doesn't show its IP address and doesn't need to show its existence at L3 level.

I hope this explanation will help you to understand the structure of a network.

Best Regards


-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Guy Harris
Sent: samedi 19 juin 2010 21:47
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] newbie MAC->IP question


On Jun 18, 2010, at 7:22 AM, János Löbb wrote:

> Looking the Ethernet traffic I see the routers and switches with their ethernet/MAC address.  However they do not show up in the IP traffic.  When I look the Ethernet frame, I again see the MAC address, but I do not see its IP address.

I.e., a packet from or to a router or switch has the source IP address of the machine that ultimately sent it, not the IP address of the router?  (That is, of course, as it should be.)

> Can Wireshark - or any other program on a Mac - translate a MAC address into an IP ?

There isn't necessarily a permanent mapping between a MAC address and an IP address; a machine might, for example, be using DHCP, and, if it renews a DHCP lease, it might get a different IP address from the one it had before.

That's not likely to happen for a router - but the only way to find out a router's IP address, given its MAC address, would be to either

	1) ask the network administrator what IP address is assigned to the router with an interface with a given MAC address;

	2) send out a Reverse ARP packet, asking what the IP address is for the given MAC address, and hope somebody responds;

	3) hope that some file on your machine has that mapping, or that some network service offers that mapping.

> I looked at man arp, but I do not see it there either and arp -a do not show the router.

"arp -a" will show the IP-to-MAC-address mappings your machine has; if your machine isn't routing traffic through that router, or otherwise communicating with that router, it won't need, and thus probably won't have, an ARP entry for that router.  (If your machine isn't plugged into a network into which that router is also plugged, it almost certainly won't have it.)

> P.S.  How can I capture only routers and Switch traffic and ignore all the workstations and vice versa  ?

You'd have to construct a capture filter that looks for the MAC addresses of the machines whose traffic you want to capture, and doesn't mention the MAC addresses of the machines whose traffic you don't want to capture.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe