[understanding networks week 5] packets and mysteries

This week, we were to analyze traffic on our networks at home using Wireshark. So to begin, I had Wireshark capture one minute of packet activity on my wifi network at home.

In just 60 seconds, it captured 6894 packets! Seems like a lot, given that I probably browsed one or two sites in that minute, but I guess that reveals how much is going on in the background when I think I’m not even doing much. The total protocol counts were:

DB-LSP-DISC: 5
DNS: 65
IGMPv2: 2
QUIC: 113
SSDP: 41
STP: 33
TCP: 4809
TLSv1.2: 1805
UDP: 21

As you can see, most of it was TCP. I am not entirely sure what was causing these – I did a whois lookup on some of the IPs, and saw some familiar names: Amazon, Verizon, Facebook (which I don’t actually have, must have been Instagram…). Still, I was wondering if maybe Tweetdeck (a desktop Twitter client) was a source of such a high number of packets, but I wasn’t sure how to confirm it.

Another experiment I did was to check on the packets coming to and from my Raspberry Pi sitting in my living room.

My pi takes a picture of one of my house plants every morning and tweets it out from @grow_slow at 10:17 am. The only other thing it does it reboot itself at 10:00 am. So I turned on Wireshark and filtered it for the pi’s IP…

screenshot-2016-10-10-16-23-33

And just as I suspected, it didn’t do much just sitting there. So I tried ssh-ing in from my laptop to see what would come up.screenshot-2016-10-10-16-25-01

It still surprises me how many packets are required just for one ssh login. I also then tried logging in via FTP:

screenshot-2016-10-10-16-26-32

Something I didn’t expect was that Wireshark revealed my username and password when I used FTP. (As you can see I haven’t changed them from the defaults, oops. But to any potential hackers reading: I’m changing it!!).

Because my python program on my pi is set to tweet at 10:17 am, I waited until the time, expecting to see some packets, but…nothing showed up, even though the tweet successfully posted. In fact the only thing that would show up was these, which occurred every few minutes:

screenshot-2016-10-10-16-32-01  I also found that my laptop also sent a packet to the same IP with the same protocol. From reading a bit about the Internet Group Management Protocol, it sounds like it’s a way to forward the same IP packets to a number of hosts within a network. My guess is that both my pi and my laptop are telling the router that they’re available for multicast?

One last random curious thing I found: when I was ssh-ing in to my pi from my laptop, I noticed that it was sending packets while I was typing on the command line, not just when I submitted a command, which is not what I expected.

My understanding still feels very fuzzy, and I don’t know why I didn’t see any packets coming to or from my pi when I run the program that tweets. I think it’ll take me a little more time and research to feel like I’m starting to really understand this.