Endpoints in Wireshark

An “Endpoint” in simple terms is the logical endpoint that communicates back and forth with a network to which it is connected. It refers to a unit at the end of a communication channel. These are designed to perform specific or limited functions. In a network, it is the logical endpoint of separate protocol traffic of a specific protocol layer.  An IP endpoint will only send and receive packets to specific IP addresses. In Wireshark, a Conversation is between two Endpoints (one side of the Conversation).

Endpoints Tool in Wireshark: 

To view the “endpoint statistics”, follow the below steps :

• Start the Wireshark by selecting the network we want to analyze.
• Now go into the Wireshark and click on Statistics→ Endpoints menu or toolbar item.

 

This will then bring up Wireshark’s endpoint statistic window.

 

The above screenshot displays the statistics about the endpoints captured. Endpoints are similar to conversations. It is the listing of all the devices on each type of layer and the details about them. We can see layers of endpoints, which are Ethernet, IPv4, IPv6, and TCP or UDP. 

Endpoint and Conversation types :

• Bluetooth: A 48-bit mac address similar to Ethernet.
• Ethernet: Similar to the Ethernet device’s 48-bit mac address.
• Fibre Channel: A 48-bit mac address similar to Ethernet.
• IEEE 802.11: A 48-bit mac address similar to Ethernet.
• FDDI: A 48bit mac address similar to FDDI.
• IPv4: Similar to the 32-bit IPv4 address.
• IPv6: Similar to the 128-bit IPv6 address.
• IPX: A sequence of a 32-bit network number and 48-bit node address, by default it is a 48-bit mac address similar to Ethernet.
• JXTA: A 160-bit SHA-1 URN.
• NCP: It is similar to IPX.
• RSVP: A combination of various RSVP session attributes and IPv4 addresses.
• SCTP: It is the combination of the host IP addresses and the SCTP port. The SCTP endpoints are different when the IP addresses are the same and the SCTP port is different. But the SCTP port is the same if the SCTP port on different IP addresses of the same host is the same.
• TCP: It is the sequence of an IP address followed by the TCP port used. The TCP endpoints are different if the TCP ports on the same IP address are different.
• Token Ring: A 48-bit mac address similar to Token Ring.
• UDP: It is the sequence of an IP address followed by the UDP port used. The UDP endpoints are different if the UDP ports on the same IP address are different.
• USB: Similar to the 7-bit USB address.

Controls of Endpoint Statistic Window:

• From the endpoint statistic window, we can see that each supported protocol has a separate tab. And each tab label shows the name of the protocol followed by the number of endpoints captured (for example the tab label “TCP 37” tells us that 37 TCP endpoints have been captured). The tab label will be greyed out if the number of endpoints of a specific protocol is 0.
• Each tab of a specific protocol has a list of rows. Each row displays the values for exactly one endpoint.
• The Name Resolution checkbox will be checked only if it is selected in the main window and if it is active for the specific protocol layer.
•  Limit to display filter will only display outcomes matching the current display filter. 
• Endpoint Types allow us to select which protocol type will be displayed.
• The Copy option will copy all the values in that specific tab to the clipboard in CSV, YAML, or JSON format.
• The Map option will display the endpoints mapped in the web browser.