Documente Academic
Documente Profesional
Documente Cultură
Lab Us
sing Wirreshark to Exam
mine Eth
hernet Frames
T
Topology
O
Objectives
Part 1: Ex
xamine the Header
H
Fields
s in an Etherrnet II Frame
e
Part 2: Us
se Wireshark
k to Capture and Analyze
e Ethernet Frrames
B
Backgroun
nd / Scenarrio
When upp
per layer proto
ocols commu
unicate with ea
ach other, da
ata flows down
n the Open S
Systems
Interconne
ection (OSI) layers and is encapsulated
d into a Layerr 2 frame. The
e frame comp
position is dep
pendent
on the me
edia access ty
ype. For exam
mple, if the up
pper layer pro
otocols are TC
CP and IP and
d the media a
access is
Ethernet, then the Laye
er 2 frame en
ncapsulation will
w be Ethern et II. This is ttypical for a LA
AN environment.
When learning about Layer
L
2 conce
epts, it is helpfful to analyze
e frame heade
er information
n. In the first p
part of this
lab, you will
w review the fields contain
ned in an Ethernet II frame
e. In Part 2, yo
ou will use W
Wireshark to ca
apture
and analy
yze Ethernet II frame heade
er fields for lo
ocal and remo
ote traffic.
R
Required Resources
R
P
Part 1: Examine
E
the
t Header Fields in an Eth
hernet II F
Frame
In Part 1, you will exam
mine the head
der fields and content in an
n Ethernet II F
Frame. A Wire
eshark capturre will be
xamine the co
ontents in tho
ose fields.
used to ex
S
Step 1: Re
eview the Etthernet II he
eader field descriptions
d
s and lengtths.
Preamblle
Des
stination
Ad
ddress
Source
Address
Fram
me
Typ
pe
Data
FCS
8 Bytes
s
6 Bytes
6 Bytes
2 Byt
ytes
46
6 1500 Byte
es
4B
Bytes
S
Step 2: Examine the network
n
con
nfiguration of the PC.
This PC host
h
IP addres
ss is 10.20.16
64.22 and the
e default gatew
way has an IP
P address of 10.20.164.17
7.
Page 1 of 7
L
Lab Using Wireshark
W
to
o Examine Etthernet Fram
mes
S
Step 3: Examine Ethe
ernet frames
s in a Wires
shark captu re.
The Wires
shark capture
e below shows
s the packets
s generated b y a ping being issued from
m a PC host to
o its
default ga
ateway. A filte
er has been applied to Wire
eshark to view
w the ARP an
nd ICMP proto
ocols only. Th
he
session begins with an
n ARP query for
f the MAC address
a
of the
e gateway rou
uter, followed by four ping requests
es.
and replie
S
Step 4: Examine the Ethernet
E
II header
h
conttents of an A
ARP reques
st.
The follow
wing table takes the first fra
ame in the Wireshark capt ure and displays the data in the Ethernet II
header fie
elds.
Page 2 of 7
Field
Value
Description
Preamble
Destination Address
Broadcast
(ff:ff:ff:ff:ff:ff)
Source Address
Dell_24:2a:60
(5c:26:0a:24:2a:60)
Frame Type
0x0806
Data
ARP
FCS
Why does the PC send out a broadcast ARP prior to sending the first ping request?
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 3 of 7
L
Lab Using Wireshark
W
to
o Examine Etthernet Fram
mes
S
Step 1: De
etermine the
e IP address
s of the defa
ault gatewa
ay on your P
PC.
Open a co
ommand prom
mpt window and
a issue the ipconfig com
mmand.
What is th
he IP Address
s of the PC De
efault Gatewa
ay?
S
Step 2: Sta
art capturing traffic on your PCs NIC.
a. Open Wireshark.
b. On the Wireshark Network
N
Anallyzer toolbar, click the Inte
erface List ico
on.
c.
S
Step 3: Filtter Wiresha
ark to displa
ay only ICM
MP traffic.
You can use
u the filter in Wireshark to
t block visibility of unwantted traffic. The filter does n
not block the capture
of unwantted data; it on
nly filters whatt to display on
n the screen. For now, onlyy ICMP trafficc is to be disp
played.
In the Wirreshark Filterr box, type icm
mp. The box should turn g
green if you tyyped the filter correctly. If th
he box is
green, clic
ck Apply to apply
a
the filterr.
Page 4 of 7
L
Lab Using Wireshark
W
to
o Examine Etthernet Fram
mes
S
Step 4: Fro
om the com
mmand prom
mpt window
w, ping the d
default gate
eway of your PC.
From the command window, ping th
he default gate
eway using th
he IP addresss that you reccorded in Step
p 1.
S
Step 5: Sto
op capturing traffic on the NIC.
Click the Stop
S
Capture
e icon to stop
p capturing tra
affic.
S
Step 6: Examine the first
f
Echo (p
ping) request in Wiresh
hark.
The Wires
shark main window is divid
ded into three
e sections: the
e Packet List pane (top), th
he Packet Dettails pane
(middle), and
a the Pack
ket Bytes pane
e (bottom). If you selected the correct in
nterface for packet capturing in
Step 3, Wireshark
W
shou
uld display the ICMP inform
mation in the Packet List p
pane of Wiresshark, similar to the
following example.
e
a. In the
e Packet List pane
p
(top sec
ction), click the
e first frame l isted. You sh
hould see Ech
ho (ping) req
quest
underr the Info hea
ading. This should highlightt the line blue
e.
b. Exam
mine the first line in the Pac
cket Details pa
ane (middle ssection). This line displays the length off the
frame
e; 74 bytes in this example.
c.
The second
s
line in the Packet Details
D
pane shows
s
that it iss an Ethernett II frame. The
e source and
destin
nation MAC addresses are
e also displaye
ed.
What is the MAC address
a
of the
e PCs NIC?
What is the defaultt gateways MAC
M
address?
?
d. You can
c click the plus
p
(+) sign at
a the beginning of the seccond line to ob
btain more infformation abo
out the
Ethernet II frame. Notice
N
that the plus sign ch
hanges to a m
minus (-) sign.
Page 5 of 7
L
Lab Using Wireshark
W
to
o Examine Etthernet Fram
mes
What type of frame
e is displayed?
e. The la
ast two lines displayed
d
in the middle sec
ction provide information a
about the data
a field of the fframe.
Notice
e that the data contains the
e source and destination IP
Pv4 address information.
What is the source
e IP address?
What is the destina
ation IP addre
ess?
f.
You can
c click any line
l
in the mid
ddle section to
o highlight tha
at part of the frame (hex and ASCII) in the
Packe
et Bytes pane
e (bottom secttion). Click the Internet Co
ontrol Messa
age Protocoll line in the middle
sectio
on and examin
ne what is hig
ghlighted in th
he Packet Byttes pane.
S
Step 7: Re
estart packe
et capture in
n Wireshark
k.
Click the Start
S
Capture
e icon to startt a new Wires
shark capture
e. You will recceive a popup
p window askiing if you
would like
e to save the previous
p
capttured packets
s to a file befo
ore starting a new capture. Click Contin
nue
without Saving.
S
Page 6 of 7
L
Lab Using Wireshark
W
to
o Examine Etthernet Fram
mes
S
Step 8: In the
t command prompt window, ping www.cis
sco.com.
S
Step 9: Sto
op capturing packets.
S
Step 10: Examine the new
n
data in the packet list pane o
of Wireshark
k.
In the firstt echo (ping) request frame
e, what are th
he source and
d destination MAC addressses?
Source:
Destination:
What are the source an
nd destination
n IP addresse
es contained in the data fie
eld of the fram
me?
Source:
Destination:
Compare these addres
sses to the ad
ddresses you received in Step 6. The only address th
hat changed iis the
destinatio
on IP address. Why has the
e destination IP address ch
hanged, while
e the destinattion MAC add
dress
remained the same?
R
Reflection
Wireshark
k does not dis
splay the prea
amble field of a frame head
der. What doe
es the preamble contain?
Page 7 of 7