Lab Worksheet 11

Data capturing tool: Wireshark

(Ref. CCNA5 Introduction to Network 3.3.3.4, 5.1.4.3, 5.2.1.8)

Objective:

Learn how to use the protocol inspector program to capture Ethernet

frames.

Learn how to generate appropriate network traffic for capturing.

Learn how to analyze Network Layer Header of an Ethernet Frame.

Background
Wireshark is a software protocol analyzer, or "packet sniffer" application,
used for network troubleshooting, analysis, software and protocol
development, and education. As data streams travel back and forth over
the network, the sniffer "captures" each protocol data unit (PDU) and can
decode and analyze its content.

Step 1 Get to know the Wireshark program

1.1. From Start menu or on Desktop, open Wireshark program

Start
Capture
List the
Stop the
Restart
capture
options
available
running
the
capture
capture
running
interfaces
capture
1.2. On Wireshark, click Interface List, check the interface youre using for
Internet connection.

1.3. Click the Capture Option to double check the interface and customize
the capture options. In the capture option window, uncheck Use
promiscuous mode on all interfaces and uncheck Resolve MAC
addresses.

1.4. Click the Start Capture button to start capturing Ethernet frames
which pass through your NIC card.
Information will start scrolling down the top section in Wireshark. The
data lines will appear in different colors based on protocol.

1.5. Click Stop button to stop running capture after some time. Look at the

result you have captured. If you started capture, wait, then stop
capture; your result may be plain or only some routine Ethernet traffic
(background traffic) was captured.
1.6. Look at different display windows.
Wireshark data is displayed in three sections:
1) The top section displays the list of PDU frames captured with a
summary of the IP packet information listed,
2) the middle section lists PDU information for the frame selected in
the top part of the screen and separates a captured PDU frame by its
protocol layers, and
3) the bottom section displays the raw data of each layer. The raw
data is displayed in both hexadecimal and decimal form.

Live Capture Window

Frame Detail Window

Hex Display Window

Step 2 Capture and Analyze ICMP Data in Wireshark

1.1. Retrieve your PCs interface addresses:
Whatre your PC interfaces IP address and MAC (physical) address?
4

________________________________________________________
1.2. Start a live capture on Wireshark.
1.3. Ping your default gateway or other IP address on the command
prompt. After all the ping replies received, stop capturing on the
Wireshark
1.4. Type icmp in the Filter box at the top of Wireshark and press Enter or
click on the Apply button to view only ICMP (ping) PDUs.

1.5. Click the first ICMP request PDU frames in the top section of
Wireshark. Notice that the Source column has your PCs IP address,
and the Destination contains the IP address you pinged.

1.6. With this PDU frame still selected in the top section, navigate to the
middle section. Click the plus sign to the left of the Ethernet II row to
view the Destination and Source MAC addresses.

Does the Source MAC address match your PCs interface?

________________________________________________________
How is the destination MAC address obtained by your PC?
________________________________________________________
Step 3 Capture and Analyze ARP exchanges in Wireshark
2.1. Check your PCs default gateway and ARP table. Run the command
prompt as administrator.

What is the IP Address of the PC Default Gateway?

________________________________________________________
What is the command to display the ARP table?
________________________________________________________
What is the command to delete all entries of the ARP table?
________________________________________________________
2.2. Start a live capture on Wireshark.
2.3. On the command prompt, clear the ARP table and ping your default
gateways IP
2.4. Stop the capture on Wireshark
2.5. Filter Wireshark to display only ARP and ICMP traffic

2.6. Examine the ARP packets

How can you locate the ARP packets resolving your default gateways
MAC address?
________________________________________________________
What is the MAC address of the source in the ARP request frame?
Whose MAC address is it?
________________________________________________________
What is the destination MAC address ARP request frame? What does
it mean?
________________________________________________________
Note: All hosts on the LAN will receive this broadcast frame. The host
with the IP address of 10.20.164.17 (default gateway) will send a
unicast reply to the source (PC host). This reply contains the MAC
address of the NIC of the Default Gateway.
Why does the PC send out a broadcast ARP prior to sending the first
ping request?

________________________________________________________
Note: Before the PC can send a ping request to a host, it needs to
determine the destination MAC address before it can build the frame
header for that ping request. The ARP broadcast is used to request
the MAC address of the host with the IP address contained in the ARP.