Sunteți pe pagina 1din 7

L

Lab Us
sing Wirreshark to Exam
mine Eth
hernet Frames
T
Topology

O
Objectives
Part 1: Ex
xamine the Header
H
Fields
s in an Etherrnet II Frame
e
Part 2: Us
se Wireshark
k to Capture and Analyze
e Ethernet Frrames

B
Backgroun
nd / Scenarrio
When upp
per layer proto
ocols commu
unicate with ea
ach other, da
ata flows down
n the Open S
Systems
Interconne
ection (OSI) layers and is encapsulated
d into a Layerr 2 frame. The
e frame comp
position is dep
pendent
on the me
edia access ty
ype. For exam
mple, if the up
pper layer pro
otocols are TC
CP and IP and
d the media a
access is
Ethernet, then the Laye
er 2 frame en
ncapsulation will
w be Ethern et II. This is ttypical for a LA
AN environment.
When learning about Layer
L
2 conce
epts, it is helpfful to analyze
e frame heade
er information
n. In the first p
part of this
lab, you will
w review the fields contain
ned in an Ethernet II frame
e. In Part 2, yo
ou will use W
Wireshark to ca
apture
and analy
yze Ethernet II frame heade
er fields for lo
ocal and remo
ote traffic.

R
Required Resources
R

1 PC (Windows 7, Vista, or XP with


w Internet access
a
with W
Wireshark insstalled)

P
Part 1: Examine
E
the
t Header Fields in an Eth
hernet II F
Frame
In Part 1, you will exam
mine the head
der fields and content in an
n Ethernet II F
Frame. A Wire
eshark capturre will be
used to ex
xamine the co
ontents in tho
ose fields.

S
Step 1: Re
eview the Etthernet II he
eader field descriptions
d
s and lengtths.

Preamblle

Des
stination
Ad
ddress

Source
Address

Fram
me
Typ
pe

Data

FCS

8 Bytes
s

6 Bytes

6 Bytes

2 Byt
ytes

46
6 1500 Byte
es

4B
Bytes

S
Step 2: Examine the network
n
con
nfiguration of the PC.
This PC host
h
IP addres
ss is 10.20.16
64.22 and the
e default gatew
way has an IP
P address of 10.20.164.17
7.

2013 Cisco and


d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

Page 1 of 7

L
Lab Using Wireshark
W
to
o Examine Etthernet Fram
mes

S
Step 3: Examine Ethe
ernet frames
s in a Wires
shark captu re.
The Wires
shark capture
e below shows
s the packets
s generated b y a ping being issued from
m a PC host to
o its
default ga
ateway. A filte
er has been applied to Wire
eshark to view
w the ARP an
nd ICMP proto
ocols only. Th
he
session begins with an
n ARP query for
f the MAC address
a
of the
e gateway rou
uter, followed by four ping requests
and replie
es.

S
Step 4: Examine the Ethernet
E
II header
h
conttents of an A
ARP reques
st.
The follow
wing table takes the first fra
ame in the Wireshark capt ure and displays the data in the Ethernet II
header fie
elds.

2013 Cisco and


d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

Page 2 of 7

Lab Using Wireshark to Examine Ethernet Frames

Field

Value

Description

Preamble

Not shown in capture

This field contains synchronizing bits, processed by the NIC


hardware.

Destination Address

Broadcast
(ff:ff:ff:ff:ff:ff)

Source Address

Dell_24:2a:60
(5c:26:0a:24:2a:60)

Layer 2 addresses for the frame. Each address is 48 bits


long, or 6 octets, expressed as 12 hexadecimal digits, 09,A-F.
A common format is 12:34:56:78:9A:BC.
The first six hex numbers indicate the manufacturer of the
network interface card (NIC), the last six hex numbers are
the serial number of the NIC.
The destination address may be a broadcast, which contains
all ones, or a unicast. The source address is always unicast.

Frame Type

0x0806

For Ethernet II frames, this field contains a hexadecimal


value that is used to indicate the type of upper-layer protocol
in the data field. There are numerous upper-layer protocols
supported by Ethernet II. Two common frame types are:
Value
Description
0x0800 IPv4 Protocol
0x0806

Address resolution protocol (ARP)

Data

ARP

Contains the encapsulated upper-level protocol. The data


field is between 46 1,500 bytes.

FCS

Not shown in capture

Frame Check Sequence, used by the NIC to identify errors


during transmission. The value is computed by the sending
machine, encompassing frame addresses, type, and data
field. It is verified by the receiver.

What is significant about the contents of the destination address field?


The destination address field contains 12 f's which means that it is a broadcast address.

Why does the PC send out a broadcast ARP prior to sending the first ping request?
Because it does not know the MAC address of the desired host, broadcasting will send requests to every
host connected to the network. The host that recognizes its IP address from the request replies back,
sending its MAC address to the source.

What is the MAC address of the source in the first frame? 84:34:97:7c:b5:5d
What is the Vendor ID (OUI) of the Sources NIC? 84:34:97
What portion of the MAC address is the OUI?
the first 3 bytes of the MAC address
What is the Sources NIC serial number? 7c:b5:5d

Part 2: Use Wireshark to Capture and Analyze Ethernet Frames


In Part 2, you will use Wireshark to capture local and remote Ethernet frames. You will then examine the
information that is contained in the frame header fields.

2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.

Page 3 of 7

L
Lab Using Wireshark
W
to
o Examine Etthernet Fram
mes

S
Step 1: De
etermine the
e IP address
s of the defa
ault gatewa
ay on your P
PC.
Open a co
ommand prom
mpt window and
a issue the ipconfig com
mmand.
What is th
he IP Address
s of the PC De
efault Gatewa
ay? 192.168.15.1

S
Step 2: Sta
art capturing traffic on your PCs NIC.
a. Open Wireshark.
b. On the Wireshark Network
N
Anallyzer toolbar, click the Inte
erface List ico
on.

c.

w, select the interface to s tart traffic cap


pturing by cliccking the
On the Wireshark: Capture Interfaces window
opriate check box, and then
n click Start. If you are unccertain of wha
at interface to
o check, click Details
appro
for mo
ore informatio
on about each
h interface listted.

d. Observe the traffic that appears


s in the Packe
et List window
w.

S
Step 3: Filtter Wiresha
ark to displa
ay only ICM
MP traffic.
You can use
u the filter in Wireshark to
t block visibility of unwantted traffic. The filter does n
not block the capture
of unwantted data; it on
nly filters whatt to display on
n the screen. For now, onlyy ICMP trafficc is to be disp
played.
In the Wirreshark Filterr box, type icm
mp. The box should turn g
green if you tyyped the filter correctly. If th
he box is
green, clic
ck Apply to apply
a
the filterr.

2013 Cisco and


d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

Page 4 of 7

L
Lab Using Wireshark
W
to
o Examine Etthernet Fram
mes

S
Step 4: Fro
om the com
mmand prom
mpt window
w, ping the d
default gate
eway of your PC.
From the command window, ping th
he default gate
eway using th
he IP addresss that you reccorded in Step
p 1.

S
Step 5: Sto
op capturing traffic on the NIC.
Click the Stop
S
Capture
e icon to stop
p capturing tra
affic.

S
Step 6: Examine the first
f
Echo (p
ping) request in Wiresh
hark.
The Wires
shark main window is divid
ded into three
e sections: the
e Packet List pane (top), th
he Packet Dettails pane
(middle), and
a the Pack
ket Bytes pane
e (bottom). If you selected the correct in
nterface for packet capturing in
Step 3, Wireshark
W
shou
uld display the ICMP inform
mation in the Packet List p
pane of Wiresshark, similar to the
following example.
e

a. In the
e Packet List pane
p
(top sec
ction), click the
e first frame l isted. You sh
hould see Ech
ho (ping) req
quest
underr the Info hea
ading. This should highlightt the line blue
e.
b. Exam
mine the first line in the Pac
cket Details pa
ane (middle ssection). This line displays the length off the
frame
e; 74 bytes in this example.
c.

The second
s
line in the Packet Details
D
pane shows
s
that it iss an Ethernett II frame. The
e source and
destin
nation MAC addresses are
e also displaye
ed.
68:94:23:cd:a6:2d
What is the MAC address
a
of the
e PCs NIC?
M
address?
? 00:1f:fb:80:6b:fc
What is the defaultt gateways MAC

d. You can
c click the plus
p
(+) sign at
a the beginning of the seccond line to ob
btain more infformation abo
out the
Ethernet II frame. Notice
N
that the plus sign ch
hanges to a m
minus (-) sign.

2013 Cisco and


d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

Page 5 of 7

L
Lab Using Wireshark
W
to
o Examine Etthernet Fram
mes
What type of frame
e is displayed? IP (0x0800)
ast two lines displayed
d
in the middle sec
ction provide information a
about the data
a field of the fframe.
e. The la
Notice
e that the data contains the
e source and destination IP
Pv4 address information.
What is the source
e IP address?

192.168.15.3

What is the destina


ation IP addre
ess? 192.168.15.1
f.

You can
c click any line
l
in the mid
ddle section to
o highlight tha
at part of the frame (hex and ASCII) in the
Packe
et Bytes pane
e (bottom secttion). Click the Internet Co
ontrol Messa
age Protocoll line in the middle
sectio
on and examin
ne what is hig
ghlighted in th
he Packet Byttes pane.

What do the last tw


wo highlighted
d octets spell?
? hi
g. Click the next fram
me in the top section
s
and ex
xamine an Eccho reply fram
me. Notice tha
at the source and
destin
nation MAC addresses hav
ve reversed, because
b
this fframe was se
ent from the d
default gatewa
ay router
as a reply
r
to the firrst ping.
What device and MAC
M
address is displayed as
a the destina
ation addresss?
HonHaiPr_cd:a6:2d (68:94:23:cd:a6:2d

S
Step 7: Re
estart packe
et capture in
n Wireshark
k.
Click the Start
S
Capture
e icon to startt a new Wires
shark capture
e. You will recceive a popup
p window askiing if you
would like
e to save the previous
p
capttured packets
s to a file befo
ore starting a new capture. Click Contin
nue
without Saving.
S

2013 Cisco and


d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

Page 6 of 7

L
Lab Using Wireshark
W
to
o Examine Etthernet Fram
mes

S
Step 8: In the
t command prompt window, ping www.cis
sco.com.
S
Step 9: Sto
op capturing packets.

S
Step 10: Examine the new
n
data in the packet list pane o
of Wireshark
k.
In the firstt echo (ping) request frame
e, what are th
he source and
d destination MAC addressses?
Source:

68:94:23:cd:a6:2d

Destination: 00:1f:fb:80:6b:fc
What are the source an
nd destination
n IP addresse
es contained in the data fie
eld of the fram
me?
Source:

192.168.15.3

Destination: 23.36.102.149
Compare these addres
sses to the ad
ddresses you received in S
Step 7. The on
nly address th
hat changed iis the
destinatio
on IP address. Why has the
e destination IP address ch
hanged, while
e the destinattion MAC add
dress
remained the same?
The destination IP address changed because we addressed the request to www.cisco.com, the destination
MAC address remain unchanged because the request passes through the PC's default gateway.

R
Reflection
Wireshark
k does not dis
splay the prea
amble field of a frame head
der. What doe
es the preamble contain?
The the preamble contains 56 bits of alternating 1's and 0's. It alerts the receiver of an incoming frame and
enables it to synchronize its input timing.

2013 Cisco and


d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

Page 7 of 7