This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Find network gateway and addresment type with a network capture.

0

Hi! First of all I'm newbie using wireshark, I also got common network knownledge.

I've got a network captured file, with 50k packets, it's from a big institution, and I need to know two things about it:

  • Type of network addressment (classful A/B/C or Classless and it's mask)
  • Network gateway

In my capture I see that 99% of ip's are 172.16.X.X, so I asume that's ClasFul B, and most ppackets go to 172.16.20.1, so I supose that's the default gateway, but how can I be more sure? Some type of filter?

Thanks a lot!

asked 14 May '14, 06:33

rul3s's gravatar image

rul3s
16114
accept rate: 0%


One Answer:

2

There are several options to conclude the netmask based on the traffic in the capture file.

  • check the IP addresses in the capture file and try to figure out the mask as you did it, by looking at the distribution of the addresses in a certain range.
  • try to find packets to the local network broadcast address (like 172.16.255.255 or 172.16.20.255)
  • take a look at ARP requests. If they are also spread across 172.16.x.x, chances are good, that your netmask is /16.

Regarding the default gateway.

  • take a look at ARP requests. If several systems ask for the MAC address of the same IP address, that 'could' be the default gateway. However, it could be a local busy server as well, unless the IP address is one of the 'typical' gateway addresses x.x.x.1, x.x.x.254, x.x.x.253, etc.
  • take a look at the destination MAC address of connections to an external network (e.g. internet). If there is the same MAC address for several different destination IP addresses, that's most certainly the router/gateway.

Regards
Kurt

answered 14 May '14, 14:49

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Also, if there is IPv6 traffic, look for Router Advertisements. You will then know the MAC of the Router and can filter on that MAC to learn the IPv4 address.

(14 May '14, 21:12) Rooster_50

Mate!! Thanks you so much, perfect answer!!! :)

(15 May '14, 00:36) rul3s