Packet Sniffing

The assignment this week is to capture and analyze network traffic while going about our usual network activities. Before buying my first MacBook in 2016, I was still using a hunky 8 lbs Sony Vaio that was stretched past the end of its life. It was a present from my parents for college and in its early years, it worked like a dream. About four years in, it started showing its first signs of decline when the battery charger suddenly blew out while I was living in Tokyo. I had to replace the charger for it three more times, and my encounters with the blue screen of death were so frequent that I found it unusual if my laptop didn’t crash at least once a day. I thought it might be interesting to run the same applications I typically run on my Mac vs PC and see if I find something interesting on Herbivore and Wireshark.

Something I didn’t expect to find out through Herbivore when I got back to my apartment today is that my roommate is not home. She is typically home before I am, but when I ran Herbivore, I saw that only my devices are connected to our router.  It’s probably best this way so there are no…temptations.

I started by clearing all my applications on both laptops so I could see the packets as they come in on both Herbivore and Wireshark. I opened up a couple websites that I apparently frequented in 2016 on my PC, then gave myself five minutes to just surf mindlessly on my MacBook. In Herbivore, I noticed that the packets I was seeing between my Mac and PC were the same. At first, I was a little confused because I was under the impression I would only see activity filtered by the IP addresses but it turns out that it picks up on all activity communicating with my router. I like that I’m able to see all the devices on my network, but it would be helpful if I could filter the data the way Wireshark allows.

The funny thing is, after I moved on to Wireshark, I tried filtering for the activity of my PC and got nothing. I didn’t understand because they were all there on Herbivore??

Then I remembered reading Ellen’s blog post this morning (best documentation/investigative journalism I’ve ever read) about a similar experience she had while doing this assignment. Apparently, Apple changed their network card configurations to only see what packets are sent to them. Ellen then ran ARP to see the communication between her Macbook and other Apple devices and sure enough, she saw them. In my case however, since Apple doesn’t pick up on non-Apple devices, I only see the communication between my MacBook and router:

I went to download Wireshark on my PC and got a prompt saying that the new release doesn’t support Windows Vista and to download WireShark 2.2 instead. Unsurprisingly, after I tried to run it, my PC crashed. I attempted again and it crashed again so I decided to give it a rest. Poor thing.

Something interesting I noticed is that the majority of my packets use TCP protocol. This surprised me because I purposely opened up an insecure HTTP movie streaming website to see some UDP protocols. Considering how poor the video quality often are on these websites, I assumed UDP protocol might have something to do with pixelated and missing frames. When I filtered for HTTP, I came across some bad TCPs for

From Tom and Shawn, I learned that TCP protocols are reliable, so it surprised me to learn that there are “bad” TCPs. I did some research and it turns out this packet [TCP Spurious Retransmission] just means that the sender thought they were lost and sent them again, even though the receiver sent an acknowledge packet for it.


Ellen Nickles

Spurious Retransmission

Leave a Reply

Your email address will not be published. Required fields are marked *