Wireshark not capturing packets above network layer - tcp

I have no filters applied, but am not seeing any traffic other than what appear to be conversations at the Link Layer between my computer's NIC and the router. It is connected via Ethernet, and I believe at one time I could see HTTP, TCP, UDP, etc.
Any suggestions would be appreciated. I've tried visiting Websites and received nothing clearly from those sites.

Related

Why do I see packets that their source or destination IPs are not my IP address while I'm using my VPN?

I'm new to the networking world and I'm using Wireshark to learn stuffs about the network.
I was hanging around in Wireshark while I was using my VPN for circumventing the internet filter (living in a dictatorship country).
While I was using the VPN I see packets that their source or destination IP was neither my IP nor VPN server IP.
I considered two things about my problem:
1- I know my VPN uses its VPN server to send my whole packets to that server then forward them to my deserved destination, then take the response and send it to my client (is that correct?).
2- In Wireshark, I just can see the packets that their either source or destination address is my IP address.
My packets before using VPN:
As you can see, their either source or destination IP is my IP (192.168.1.101).
After using VPN, VPN:
Wireshark:
I tried filtering packets with my IP like this ip.addr == 192.168.1.101 to see only the packets that their either source or destination IP was my private IP, and guess what? nothing was changed. Why did this happen? Wasn't that supposed to filter my packets?
I also checked those packets' MAC and compared them with my MAC, and they were identical.
So my main question is why these kinds of wandering packets were showed by Wireshark? Is my VPN client insecure and trying to sending my data to other places? Or I'm wrong about how my VPN works?
Also, I appreciate it If somebody tells me more explanation about how my VPN or Wireshark works so that I have these types of packets in my Wireshark.
First of all your considerations, point no.1 is right, that's how a typical VPN works and point no.2 is wrong.
Wireshark can capture any packet (any source IP or destination IP) flowing in and out of a network adapter technically known as NIC card. NIC cards are the way through which you can connect to a network (Internet). A quick brief of NIC over here
A typical VPN client software would form a virtual NIC to encrypt and send your traffic through it. A quick brief of VPNs over here
So, to see the required traffic in Wireshark, you must capture traffic from an appropriate interface (NIC card). The answer over here might be helpful.

What happens after host receives physical data from router

I know that when two machine communicate they may use the TCP/IP protocol.. But after the IP packet is routed to my router and it is converted to physical signal , how does my computer again decapsulate it and send it to proper application....I know that transport layer header is used for identifying port numbers to send it to proper process,but which device will do all these inside a host..am new to network and apologize if something was wrong or silly here
A packet comprises of information in the form of [header[body]] which will be looked up and processed across all the layers in the TCP/IP stack.
The information related to the all layers are encapsulated into a single packet.
Packet being a general term here, can be of many types based on the protocol with which two nodes are communicating (TCP Packet, UDP Packet, IP Packet etc). The information from a TCP/IP packet for example, are processed by different devices or services working at specific layers.
Switches or Bridges operate at the Ethernet layer. These devices switch packets inside LAN by looking up the MAC address information.
Routers operate at the Internet Layer and utilizes the IP protocol (i.e., IP address) to route traffic between networks.
Stateful firewalls, Proxies, Load Balancers etc. are at the transport layer. They work based on the TCP or UDP information to allow/deny/direct traffic.
Application layer facilities effective communication between application programs in a network. The application layer is not the application itself that is doing the communication. It has protocols such as DNS, FTP, SMTP, SNMP to help and serve the purpose.
References:
https://docstore.mik.ua/orelly/networking/firewall/ch06_03.htm
https://technet.microsoft.com/en-in/library/cc786128(v=ws.10).aspx

TCP syn based traffic from our network

We have two Debian servers connected to a router which is part of a public network. One of them is email server based on postfix and dovecote and rouncube. Second one is DHCP, DNS, Apache,squid3 based system hosting website and distributing internet to 200 computer LAN. we recently received email from ISP with following note.
"we have again observed multiple outgoing tcp syn based suspicious traffic from your institute towards various chinese destination ip's since morning hours. kindly inform the concerned team regarding the same observation so that adequate measures are taken to curb such traffic "
Considering types of users of my LAN, it is impossible to think that my LAN users can deliberately do it.
Can some computer from outside our network mimic tcp syn based suspicious traffic from MY institute?
Can email server with some silly configuration mistake be responsible?
If your ISP is informing you that your computers are originating the traffic then you can rely on it to be true. What you should do is ask for more detail about the offending SYN segments so you can set up a tcpdump session to capture them on your side and find out which of your LAN users is misbehaving.

Unable to capture a UDP protocol packet with Wireshark by visiting any website

I am using wireshark, and for an exercise we need to capture a UDP packet with wireshark by visiting any website, and then analyze the information within that packet.
I have tried numerous times and all websites appear to send packets with TCP protocol. I have looked at Wireshark documentation, as well as looked online and am stumped.
What am I doing wrong, and how can I get a UDP packet by visiting a website?
Thats the main question. A side question is: how do I filter the captured packets to only those packets referring to requests and responses from websites over the network? Currently there appear to be a bunch of low-level captured packets that I need to scroll through.
Thanks in advance!
Because websockets/HTTP is over TCP.
And in Wireshark,if you are intending to see packets corresponding to a particular client/server, click on the packet and do "Follow TCP/UDP stream"
You will never see a UDP packet in a WEB connection. Never never never. The Web's connection is in HTTP protocol and HTTP is encapsulated in TCP.
If you need see UDP packets en wireshark you can generate UDP sockets from your host. You can:
Make a connection with a TFTP server.
Renew your IP you will see the DHCP protocol.
You search, what protocols are encapsulated in UDP and use it.
Make a program with UDP sokects.

Identifying characteristics of certain categories network traffic (originating from load balancer or port based NAT)

I'm using a sniffer (such as Wireshark) to monitor network traffic.
I have no prior knowledge of the network topology. My purpose is to identify IPs as load balancers or NAT entry points.
How can I identify that a particular packet originated from a load balancer or has come through a firewall and has had port based network address translation (NAT) performed on it?
What identifying characteristics are there for either use case?
If there is no layer-3 (router) device between your point-of-capture and the balancer/firewall devices are layer-3, you could use the source-MAC to detect where the packets came from.
Actually, a lot depends on how the network appears from where you capture the packets.
Are the load-balancers on a different path/direction from the firewall? Like, is the firewall on the Internet side and the balancers towards the servers (or are they balancing the Internet link)?
Where are the layer-3 devices? Any between the capture point and these other devices? Are the balancer and/or firewall working as layer-3 devices?

Resources