Part 2: Use Wireshark to Capture and Analyze Ethernet Frames - arren-anives/Lab-Use-Wireshark-to-Examine-Ethernet-Frames GitHub Wiki

Part 2: Use Wireshark to Capture and Analyze Ethernet Frames

In this part, you will use Wireshark to capture local and remote Ethernet frames. You will then examine the information that is contained in the frame header fields.

Step 1: Determine the IP address of the default gateway on your PC.

Open a Windows command prompt.

Open a command prompt window and issue the ipconfig command. (For Linux and MAC OS, enter the command netstat -rn at a terminal.)

Question: Record the IP address of the PC default gateway?

Step 2: Start capturing traffic on your PC NIC.

a. Open Wireshark to start data capture. Double-click the desired network device interface with network traffic to start the capture.

b. Observe the traffic that appears in the packet list window.

Step 3: Filter Wireshark to display only ICMP traffic.

You can use the filter in Wireshark to block visibility of unwanted traffic. The filter does not block the capture of unwanted data; it only filters what you want to display on the screen. For now, only ICMP traffic is to be displayed.

In the Wireshark Filter box, type icmp. The box should turn green if you typed the filter correctly. If the box is green, click Apply (the right arrow) to apply the filter.

Step 4: From the command prompt window, ping the default gateway of your PC.

Open a Windows command prompt.

From the command prompt window, ping the default gateway using the IP address that you recorded in Step 1.

Close Windows command prompt.

Step 5: Stop capturing traffic on the NIC.

Click the Stop Capturing Packets icon (the red square) to stop capturing traffic.

Step 6: Examine the first Echo (ping) request in Wireshark.

The Wireshark main window is divided into three sections: the Packet List pane (top), the Packet Details pane (middle), and the Packet Bytes pane (bottom). If you selected the correct interface for packet capturing previously, Wireshark should display the ICMP information in the packet list pane of Wireshark.

image

a. In the packet list pane (top section), click the first frame listed. You should see Echo (ping) request under the Info heading. The line should now be highlighted.

b. Examine the first line in the packet details pane (middle section). This line displays the length of the frame.

c. The second line in the packet details pane shows that it is an Ethernet II frame. The source and destination MAC addresses are also displayed.

Questions: What is the MAC address of the PC NIC?

What is the default gateway’s MAC address?

d. Click the greater than (>) sign at the beginning of the second line to obtain more information about the Ethernet II frame.

Question: What type of frame is displayed?

e. The last two lines displayed in the middle section provide information about the data field of the frame. Notice that the data contains the source and destination IPv4 address information.

Questions: What is the source IP address?

What is the destination IP address?

f. You can click any line in the middle section to highlight that part of the frame (hex and ASCII) in the Packet Bytes pane (bottom section). Click the Internet Control Message Protocol line in the middle section and examine what is highlighted in the Packet Bytes pane.

Question: What do the last two highlighted octets spell?

g. Click the next frame in the top section and examine an Echo reply frame. Notice that the source and destination MAC addresses have reversed, because this frame was sent from the default gateway router as a reply to the first ping.

Question: What device and MAC address is displayed as the destination address?

Step 7: Capture packets for a remote host.

a. Click the Start Capture icon to start a new Wireshark capture. You will receive a popup window asking if you would like to save the previous captured packets to a file before starting a new capture. Click Continue without Saving.

b. In a command prompt window, ping www.cisco.com.

c. Stop capturing packets.

d. Examine the new data in the packet list pane of Wireshark.

Questions: In the first echo (ping) request frame, what are the source and destination MAC addresses?

What are the source and destination IP addresses contained in the data field of the frame?

Compare these addresses to the addresses you received in the previous step. The only address that changed is the destination IP address. Why has the destination IP address changed, while the destination MAC address remained the same?

Wireshark does not display the preamble field of a frame header. What does the preamble contain?