how can you tell the name of the ISP from a capture? what do you look for specifically? asked 13 Oct '17, 00:38  musila edited 13 Oct '17, 04:42  Bill Meier ♦♦ showing 5 of 14 show 9 more comments |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
I cannot imagine any universally applicable method of identifying the ISP from a capture of spontaneous traffic, except maybe if it contains DNS queries to a DNS server on public IP, as some ISPs still use their own DNS servers rather than DDoSing the famous 8.8.8.8.
If you can do a traceroute, the public addresses appearing closest to the customer end of the connection should be assigned to the ISP (leaving aside those which are eventually assigned to the customer), but in such case it is not a Wireshark question :-)
well, i was given a pcapng file. from that file, you are supposed to determine the SSID which was pretty easy router name and hardware version among others. in which it was pretty easy. until the asked for the WiFi network provider. looks like I cant attach a file in this forum.
yes it has DNS queries.
And what does the whois database say about the IP address of the DNS server?
I can send you the pcap file via email... see what you can uncover ...
If you cannot publish the file on some file sharing service and edit the Question with a login-free link to it, you can change the file suffix from .pcap to .jpg and add it to the Question as a picture. The file size should be reasonable, though, so if it has 50 MB+ it is not a good idea.
Do you mean vendor of wifi equipment?
@bob no WiFi network provider.That's whats the questions asked. Therefore, I assumed it means the ISP ... What do you think?
@sindy its a less than 2mb ....its a challenge from cybrary(https://www.cybrary.it/catalog/cybsky/wireless-access-exploitation-set-1)
Given that the site is a paid one, I don't think it is a good idea to publish the trace here. So I can only repeat my advice to look at DNS queries and answers and find the ISP name from there, either directly in the DNS response or using
DiG -xor the whois database to find information about the owner of the DNS server.Another possibility might be that there is an interaction in the capture file with a "captive portal" (to which you are redirected when you visit any other page after connecting to the WiFi, to confirm acceptance of the conditions) and you can see the ISP name from there.
If this is for a class of some sort, I would ask for clarification.
Maybe the provider name is part of the SSID? I know here in the US Comcast is a large provider for homes and businesses with cable modems and the like, and they have a brand called Xfinity which they try to run on all of their APs as an SSID. Once I see that SSID, I know the provider is Comcast.
@Bob the SSID is Hainan Airlines and that was part of the questions asked besides the ISP ....
@Sindy yeah have been looking at all the request made. if you saw the capture you would have a better idea of what am facing. I thought there is a specific way you look at the ISP that I did not know about.
Just give me the IP address of the DNS server to which the DNS queries are being sent. I assume there is only one.