Wireshark, OUI and a good colleague, Sasan!

There’s is always a plus working with a good experienced team. Years of solo playing, everyday I kind of feel a breeze being with my new fellow colleagues. Today as I entered the office, Sasan asked me to fire up my Wireshark and check who’s flooding [broadcasting into] the network. He told me by merely looking at the network printer light, he could see that it should be something broadcasting all around, coz the light was constantly winking! As you know, Wireshark [formerly Ethereal] is a network protocol analyzer and scanner. This hefty definition means if you run it, you can see the packets your computer is receiving off the network. After looking at all the packets with a target destination of 255.255.255.255 [which is the broadcast address!], we found the culprit sender’s IP address! You can see a picture of Wireshark below:

How the heck can you find which computer it is by its IP address? Well, first ping the address, then run “arp -n” and see the MAC address; the unique address that every ethernet card has. As you know every MAC address has 6 bytes. The first 3 bytes are called OUI = Organizationally Unique Identifier. Take a look at the “arp -n” output first:

By looking at the Address column, you can find the IP you are looking for (do NOT forget pinging the IP first, or it might not show up in here]. The 3rd column, HWaddress As you see the red area is the first 3 bytes. Having this and looking it up in the IEEE OUI table, we instantly pinpointed the broadcasting dirty computer, it was an Apple Mac!

Maybe it doesn’t look such a big deal, it is not of course. But it’s cool for me to look at a network light and figure out we’re having uninvited packets, then capturing them and finally eliminating them! Thanks to Sasan, the great