3

This is sample of a traceroute to google.com:

TraceRoute from Network-Tools.com to 216.58.194.46 [google.com]
Hop (ms)    (ms)    (ms)             IP Address Host name
1     0       0       0          206.123.64.233   -  
2     Timed out       Timed out       Timed out               -  
3     1       1       1          4.68.70.166     google-level3-3x10g.dallas.level3.net  
4     1       1       1          108.170.240.129      -  
5     1       1       1          209.85.242.53    -  
6     1       1       1          216.58.194.46   dfw25s12-in-f14.1e100.net  

Trace complete

It obvious there should be some layer two and layer one (physical layer tapping devices) network devices in between that we cannot trace or identify, but they have an important impact on the result.

These layer 2 & 1 network devices have many roles, including security. There are many Agencies or Organizations that capture data on the physical layer or Data link layer like the PRISM surveillance program.

I am looking for theory or practical way to find a way to identify layer 2 devices in order to prove or identify data capturing.

Improve this question
0

2 Answers 2

Reset to default
4

You can see some hop counts in the traceroute results, but there are certainly many devices in the middle; if you could capture traffic you could see that when a packet passes a device the source MAC address would change

This is incorrect. L2 devices do not change source/dest hardware address.

More to the point of your question, if you're inside the target network you could try sniffing for lldp/cdp/stp traffic to gather information about the connected L2 devices.

Once the packets goes through a router any information below layer 3 is lost.

The "timed out" and missing hops in your traceroute are not invisible l2 devices, they're hops (routers) that do not send ICMP type 11 packets to inform the TTL was exceeded.

Improve this answer
3
  • 2
    @WhiteWinterWolf When a frame leaves from host A to host B, both within the same broadcast domain (think LAN), the frame that arrives at B will have the same Ethernet headers that it had when it left A, no matter how many (L2) switches it traverses.
    – GnP
    Commented Aug 29, 2016 at 1:11
  • Answer are very helpful but my question remains,when a frame pass a layer 2 device there should be an effect on it that i try to understand.
    – R1W
    Commented Aug 29, 2016 at 7:27
  • 2
    @user1832494 the answer is there isn't, except for the timing one mentioned by Steffen. For l2 devices you can use lldp (link layer discovery protocol).
    – GnP
    Commented Aug 29, 2016 at 9:31
12

Information from layer 2 are usually not propagated to the higher layers because they are not needed there. Exceptions are protocols like ARP but this is only visible inside the local network. This means it is not possible to directly detect layer 2 (link layer) devices unless you are connected to the same link or inside the same local network (ARP). You might try to infer the possible effects of such devices based on irregularities in the network or timing but most will probably be invisible from remote.

Improve this answer
4
  • Any device has an effect to the packet ,like changing TTL or increasing ping time and etc,because they have some sort of processing on packet ,what are layer two effect on packet ?
    – R1W
    Commented Aug 28, 2016 at 7:33
  • 2
    @user1832494: TTL or hop count are at layer 3. Layer 2 devices do not change it. As for the timing: I've mentioned it. Apart from that layer 2 devices usually don't change anything at the (layer 3) packet at all, but there are exceptions like layer 2 encryption devices or "invisible" deep packet inspection.
    – Steffen Ullrich
    Commented Aug 28, 2016 at 7:40
  • we have two different approach,first security device that using: Tap ,Span or same technology and the second one is layer two device like switches or radios ,is it effect of packet for those devices are the same or maybe it makes a big different ?
    – R1W
    Commented Aug 29, 2016 at 7:34
  • 1
    @user1832494: a tap is copying the packet for further analysis and should not or almost not impact the timing (depending on the type of tap) and should cause no loss. Switches instead forward the packet and thus impact the timing more and might cause packet loss.
    – Steffen Ullrich
    Commented Aug 29, 2016 at 7:38

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .