Part 1: Examine the Header Fields in an Ethernet II Frame - arren-anives/Lab-Use-Wireshark-to-Examine-Ethernet-Frames GitHub Wiki

Part 1: Examine the Header Fields in an Ethernet II Frame

In this part, you will examine the header fields and content in an Ethernet II frame. A Wireshark capture will be used to examine the contents in those fields.

Step 1: Review the Ethernet II header field descriptions and lengths.

image

Step 2: Examine the network configuration of the PC.

In this example, this PC host IP address is 192.168.1.147 and the default gateway has an IP address of 192.168.1.1. (For Linux and MAC OS, use the command ifconfig in the terminal.)

C:> ipconfig /all

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection

Physical Address. . . . . . . . . : F0-1F-AF-50-FD-C8

DHCP Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

Link-local IPv6 Address . . . . . : fe80::58c5:45f2:7e5e:29c2%11(Preferred)

IPv4 Address. . . . . . . . . . . : 192.168.1.147(Preferred)

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Lease Obtained. . . . . . . . . . : Friday, September 6, 2019 11:08:36 AM

Lease Expires . . . . . . . . . . : Saturday, September 7, 2019 11:08:36 AM

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

Step 3: Examine Ethernet frames in a Wireshark capture.

The screenshots of the Wireshark capture below show the packets generated by a ping being issued from a PC host to its default gateway. A filter (arp or icmp) has been applied to Wireshark to view the ARP and ICMP protocols only. ARP stands for address resolution protocol. ARP is a communication protocol that is used for determining the MAC address that is associated with the IP address. The session begins with an ARP query and reply for the MAC address of the gateway router, followed by four ping requests and replies.

This screenshot highlights the frame details for an ARP request. image

This screenshot highlights the frame details for an ARP reply. image

Step 4: Examine the Ethernet II header contents of an ARP request.

The following table takes the first frame in the Wireshark capture and displays the data in the Ethernet II header fields. image

What is significant about the contents of the destination address field? Why does the PC send out a broadcast ARP prior to sending the first ping request? What is the MAC address of the source in the first frame? What is the Vendor ID (OUI) of the Source NIC in the ARP request? What portion of the MAC address is the OUI? What is the NIC serial number of the source?