• Anna Oh

Packet Analysis

Updated: Oct 29, 2019

I used 'WireShark' to analyze the traffic of my home network, especially when I'm using my google mini. Before running Wireshark, I ran arp - a to identify my devices that are connected to my home network. Since I'm using hotspot which is called 'jetpack' I could identify my hotspot devices address as well.

I was curious about the traffic when I used I.o.T devices such as Google mini. Furthermore, I wondered about that are there any differences between when using voice command for web browsing needed task and for manipulating other I.o.T devices such as smart lights. Also, I was curious about how the traffic looks different when I'm using my hotspot compare to when I'm using Wifi from a hotel in my neighborhood. (I have been using this wifi since I was able to access it with simply type any random email address on their web site). Eventually, my packet sniffing became a bit confused protocol analysis which is comparing 5 different settings. For the stater, I ran my Wire shark to compare how the protocols are different while doing different types of voice commands.

1) Asking tomorrow's weather

A bunch of protocols appeared, I briefly researched them.


  • The Apache JServ Protocol (AJP) is a binary protocol that can proxy inbound requests from a web server through to an application server that sits behind the webserver. It also supports some monitoring in that the web server can ping the application server.

  • AJP Connectors work in the same way as HTTP Connectors, but they use the AJP protocol in place of HTTP. Apache JServ Protocol, or AJP, is an optimized binary version of HTTP that is typically used to allow Tomcat to communicate with an Apache webserver

ARP (Address Resolution Protocol)

  • Short for Address Resolution Protocol, a network layer protocol used to convert an IP address into a physical address (called a DLC address), such as an Ethernet address. A host wishing to obtain a physical address broadcasts ARP request onto the TCP/IP network.

DB-LSP-DISC (Dropbox LAN sync Discovery Protocol)


  • The Domain Name System is a hierarchical and decentralized naming system for computers, services, or other resources connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities.

  • The Domain Name System (DNS) is the phonebook of the Internet. Humans access information online through domain names, like nytimes.com or espn.com. Web browsers interact through Internet Protocol (IP) addresses. DNS translates domain names to IP addresses so browsers can load Internet resources.


  • IPv6 uses the Internet Control Message Protocol (ICMP) as defined for IPv4 with a number of changes. The resulting protocol is called ICMPv6. It contains the data specific to the message type indicated by the Type and Code fields.


  • In computer networking, the multicast DNS protocol resolves hostnames to IP addresses within small networks that do not include a local name server. It is a zero-configuration service, using essentially the same programming interfaces, packet formats and operating semantics as the unicast Domain Name System


  • A standard for advertising services on a TCP/IP network and discovering them. The Universal Plug and Play (UPnP) protocol use SSDP to announce and find devices in order, for example, to stream video from a source to a playback system.

  • The SSDP protocol can discover Plug & Play devices, with uPnP (Universal Plug and Play). SSDP uses unicast and multicast addresses ( SSDP is HTTP like protocol and works with NOTIFY and M-SEARCH methods. Sep 10, 2016

TCP (Transmission Control Protocol)

  • A standard that defines how to establish and maintain a network conversation via which application programs can exchange data. TCP works with the Internet Protocol (IP), which defines how computers send packets of data to each other

UDP (User Datagram Protocol)

  • an alternative communications protocol to Transmission Control Protocol (TCP) used primarily for establishing low-latency and loss-tolerating connections between applications on the internet.

  • TCP (Transmission Control Protocol) is connection-oriented, whereas UDP (User Datagram Protocol) is connection-less. ... UDP does not use acknowledgments at all and is usually used for protocols where a few lost datagrams do not matter. Because of acknowledgments, TCP is considered a reliable data transfer protocol.


  • Transport Layer Security - TLSv1.2. Currently, TLSv1.2 is the newest SSL protocol version. It introduces new SSL/TLS cipher suites that use the SHA-256 hash algorithm instead of the SHA-1 function, which adds significant strength to the data integrity.

The interesting part was Google mini asking for the location of network

2) Asking to turn off the lights

I was able to see AJP13/ DNS / SSDP protocols disappeared.

3) Doing nothing with google mini

The result was the same, still could find AJP13/ DNS / SSDP. According to from these results, I was able to understand to

4) Web browsing with same network(jetpack)


  • Secure Sockets Layer (SSL) is a networking protocol designed for securing connections between web clients and web servers over an insecure network, such as the internet. After being formally introduced in 1995, SSL made it possible for a web server to securely enable online transactions between consumers and businesses. Due to numerous protocol and implementation flaws and vulnerabilities, SSL was deprecated for use on the internet by the Internet Engineering Task Force (IETF) in 2015 and has been replaced by the Transport Layer Security (TLS) protocol.

4) Connecting network from outside (Lexhotel) and random web browsing.

AJP13 (and SSL) is disappeared and there were new protocols appeared.


  • TLSv1.3 is a major rewrite of the specification. There was some debate as to whether it should really be called TLSv2.0 - but TLSv1.3 it is. There are major changes and some things work very differently. A brief, incomplete,

  • There are new ciphersuites that only work in TLSv1.3. The old ciphersuites cannot be used for TLSv1.3 connections.

  • Renegotiation is not possible in a TLSv1.3 connectionMore of the handshake is now encrypted.

  • More types of messages can now have extensions (this has an impact on the custom extension APIs and Certificate Transparency)

  • DSA certificates are no longer allowed in TLSv1.3 connections


HTTP (HyperText Transfer Protocol)

  • HTTP is the underlying protocol used by the World Wide Web and this protocol defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands.

ICMP(Internet Control Message Protocol)

  • An error-reporting protocol network devices like routers use to generate error messages to the source IP address when network problems prevent delivery of IP packets.

LLDP ( link layer discovery protocol)

  • An open and extendable part of the Internet protocol suite used in IEEE 802 to advertise a device's identity and abilities, as well as other devices connected within the same network.

OCSP(Online Certificate Status Protocol)

  • An Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It is described in RFC 6960 and is on the Internet standards track.

SSDP (Simple Service Discovery Protocol)

  • A standard for advertising services on a TCP/IP network and discovering them. The Universal Plug and Play (UPnP) protocol uses SSDP to announce and find devices in order, for example, to stream video from a source to a playback system.

STP (Spanning Tree Protocol)

  • A network protocol that builds a loop-free logical topology for Ethernet networks. The basic function of STP is to prevent bridge loops and the broadcast radiation that results from them.


© 2023 by Salt & Pepper. Proudly created with Wix.com