Wireshark · Wireshark-users: Re: [Wireshark-users] Help on data from wiresharck

Wireshark-users: Re: [Wireshark-users] Help on data from wiresharck

From: Graham Bloice <graham.bloice@xxxxxxxxxxxxx>

Date: Wed, 4 Oct 2017 12:23:37 +0100

On 4 October 2017 at 12:07, Antonio Bernabei <abernabei@xxxxxxxxxxxxxxxxxx> wrote:

But why there is

HuaweiTe

Is it a phone trying to connect to our lan? Maybe by wifi?

The element "HuaweiTe_21:8d:a5" indicates a device with a MAC address corresponding to one issued by HuaweiTe and probably using IP address 192.168.1.111 was sending the request.

A MAC address contains info about the device vendor and a unique per-device value. See the Wiki page on Ethernet addresses for for info: https://wiki.wireshark.org/Ethernet.

Wireshark helpfully translates the vendor prefix (for known values) of a MAC address hence the "HuaweiTe_" part. The "raw" value is shown in parentheses in the packet list. The translation is controlled by the preference setting Name Resolution -> Resolve MAC addresses.

To check for possible ARP spoofing you would need to confirm the MAC address of your gateway, hopefully visible in the UI of the device, and compare it with the "raw" value displayed in Wireshark.

Graham Bloice

References:
- [Wireshark-users] Help on data from wiresharck
  - From: Antonio Bernabei
- Re: [Wireshark-users] Help on data from wiresharck
  - From: sunil singh
- Re: [Wireshark-users] Help on data from wiresharck
  - From: Antonio Bernabei

Prev by Date: Re: [Wireshark-users] Help on data from wiresharck
Next by Date: Re: [Wireshark-users] Help on data from wiresharck
Previous by thread: Re: [Wireshark-users] Help on data from wiresharck
Next by thread: Re: [Wireshark-users] Help on data from wiresharck
Index(es):
- Date
- Thread