L

Lab - Us
sing Wireshark to
t View Network
k Traffic
c
T
Topology

O
Objectives
Part 1: (O
Optional) Dow
wnload and Install
I
Wireshark
Part 2: Ca
apture and Analyze
A
Loca
al ICMP Data in Wiresharrk

Start and stop data

a capture of ping
p
traffic to local hosts.

Locatte the IP and MAC address

s information in captured P
PDUs.

Part 3: Ca
apture and Analyze
A
Remote ICMP Da
ata in Wiresh
hark

Start and stop data

a capture of ping
p
traffic to remote
r
hosts .

Locatte the IP and MAC address

s information in captured P
PDUs.

Expla
ain why MAC addresses for remote hostts are differen
nt than the MA
AC addressess of local hossts.

B
Backgroun
nd / Scenarrio
Wireshark
k is a software
e protocol ana
alyzer, or "pa
acket sniffer" a
application, used for netwo
ork troublesho
ooting,
analysis, software
s
and protocol deve
elopment, and education. A
ams travel back and forth o
over the
As data strea
network, the
t sniffer "ca
aptures" each protocol data
a unit (PDU) a
and can deco
ode and analyyze its conten
nt
according
g to the appropriate RFC or other speciffications.
Wireshark
k is a useful to
ool for anyone
e working with networks a nd can be used with most labs in the CCNA
ading and insstalling
courses fo
or data analys
sis and troublleshooting. Th
his lab provid
des instruction
ns for downloa
Wireshark
k, although it may already be installed. In
I this lab, yo
ou will use Wirreshark to capture ICMP d
data
packet IP addresses and Ethernet frrame MAC ad
ddresses.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

P
Page 1 of 20

L
Lab - Using Wireshark
W
to View Netwo
ork Traffic

R
Required Resources
R

1 PC (Windows 7, Vista, or XP with

w Internet access)
a

Additional PC(s) on
n a local-area
a network (LA
AN) will be use
ed to reply to ping requestts.

P
Part 1:

(Optional
(
l) Downlo
oad and Install Wireshark

Wireshark
k has become
e the industry standard pac
cket-sniffer prrogram used by network engineers. Thiis open
source so
oftware is available for man
ny different op
perating syste
ems, including
g Windows, M
Mac, and Linu
ux. In Part
1 of this la
ab, you will do
ownload and install the Wireshark softw
ware program on your PC.
Note: If Wireshark
W
is already installe
ed on your PC
C, you can skkip Part 1 and
d go directly to
o Part 2. If Wiireshark
is not installed on your PC, check with
w your instru
uctor about yo
our academys software do
ownload policcy.

S
Step 1: Do
ownload Wirreshark.
a. Wires
shark can be downloaded
d
from
f
www.wirreshark.org.
b. Click Download Wireshark.
W

c.

are version yo
ou need based
d on your PC
Cs architecturre and operatiing system. F
For
Choose the softwa
nce, if you hav
ve a 64-bit PC
C running Win
ndows, choosse Windows Installer (64--bit).
instan

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

P
Page 2 of 20

L
Lab - Using Wireshark
W
to View Netwo
ork Traffic
After making a sele
ection, the do
ownload should start. The llocation of the
e downloaded
d file dependss on the
ser and opera
ating system that
t
you use. For Windowss users, the default location
n is the Down
nloads
brows
folderr.

S
Step 2: Ins
stall Wireshark.
a. The downloaded
d
file is named Wireshark-wi
W
in64-x.x.x.ex
xe, where x re
epresents the
e version num
mber.
Double-click the file
e to start the installation prrocess.
b. Respo
ond to any se
ecurity messa
ages that may
y display on yo
our screen. Iff you already have a copy of
Wires
shark on your PC, you will be prompted to uninstall th
he old version
n before insta
alling the new version.
It is re
ecommended that you rem
move the old version
v
of Wirreshark prior tto installing another versio
on. Click
Yes to
o uninstall the
e previous version of Wires
shark.

c.

If this is the first tim

me to install Wireshark,
W
or after
a
you havve completed the uninstall process, you will
navigate to the Wirreshark Setup
p wizard. Click Next.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

P
Page 3 of 20

L
Lab - Using Wireshark
W
to View Netwo
ork Traffic
d. Contin
nue advancin
ng through the
e installation process.
p
Clickk I Agree whe
en the Licensse Agreementt window
displa
ays.

e. Keep the default se

ettings on the
e Choose Com
mponents win
ndow and clicck Next.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

P
Page 4 of 20

L
Lab - Using Wireshark
W
to View Netwo
ork Traffic
f.

Choose your desired shortcut options and cliick Next.

g. You can
c change th
he installation location of Wireshark,
W
butt unless you have limited d
disk space, it is
recom
mmended thatt you keep the
e default loca
ation.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

P
Page 5 of 20

L
Lab - Using Wireshark
W
to View Netwo
ork Traffic
h. To ca
apture live nettwork data, WinPcap
W
must be installed o
on your PC. If WinPcap is already insta
alled on
your PC,
P the Install check box will
w be unchec
cked. If your in
ap is older tha
an the
nstalled versiion of WinPca
versio
on that comes
s with Wiresha
ark, it is recom
mmend that yyou allow the newer versio
on to be installled by
clickin
ng the Install WinPcap x.x
x.x (version number)
n
checck box.
i.

Finish
h the WinPcap
p Setup Wiza
ard if installing
g WinPcap.

j.

Wires
shark starts in
nstalling its file
es and a sepa
arate window displays with
h the status off the installatiion. Click
Next when the insttallation is complete.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

P
Page 6 of 20

L
Lab - Using Wireshark
W
to View Netwo
ork Traffic
k.

Click Finish to com

mplete the Wireshark insta
all process.

P
Part 2: Capture
C
and
a Analy
yze Local ICMP Da
ata in Wirreshark
In Part 2 of
o this lab, you will ping another PC on the
t LAN and capture ICMP
P requests an
nd replies in
Wireshark
k. You will als
so look inside the frames captured for sp
pecific inform
mation. This an
nalysis should
d help to
clarify how
w packet head
ders are used
d to transport data to their destination.

S
Step 1: Re
etrieve your PCs interfface addresses.
d its network interface card
For this la
ab, you will ne
eed to retrieve
e your PCs IP
P address and
d (NIC) physiical
address, also
a
called the MAC addre
ess.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

P
Page 7 of 20

L
Lab - Using Wireshark
W
to View Netwo
ork Traffic
a. Open a command window, type
e ipconfig /all, and then prress Enter.
y
PC interrfaces IP add
dress and MA
AC (physical) a
address.
b. Note your

c.

Ask a team membe

er for their PC
Cs IP address
s and provide
e your PCs IP
P address to tthem. Do not provide
them with your MA
AC address att this time.

S
Step 2: Sta
art Wireshark and begiin capturing
g data.
a. On yo
our PC, click the
t Windows Start button to see Wiresh
hark listed ass one of the prrograms on th
he pop-up
menu. Double-click
k Wireshark.
b. After Wireshark
W
sta
arts, click Inte
erface List.

Note: Clicking the first interface

e icon in the ro
ow of icons allso opens the
e Interface Lisst.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

P
Page 8 of 20

L
Lab - Using Wireshark
W
to View Netwo
ork Traffic
c.

On the Wireshark: Capture Interfaces window

w, click the ch
heck box nexxt to the interfa
ace connecte
ed to your
LAN.

u are unsure w
which interfacce to check, cclick the Deta
ails
Note: If multiple intterfaces are listed and you
n, and then click the 802.3 (Ethernet) ta
ab. Verify tha
at the MAC ad
ddress matche
es what you n
noted in
button
Step 1b. Close the
e Interface De
etails window after verifying
g the correct iinterface.

y have che
ecked the corrrect interface, click Start to
o start the data capture.
d. After you

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

P
Page 9 of 20

L
Lab - Using Wireshark
W
to View Netwo
ork Traffic
Inform
mation will sta
art scrolling do
own the top section in Wire
eshark. The d
data lines will appear in diff
fferent
colors
s based on prrotocol.

e. This information ca
an scroll by ve
ery quickly de
epending on w
what commun
nication is takking place bettween
your PC
P and the LA
AN. We can apply
a
a filter to
t make it eassier to view an
nd work with the data that is being
captured by Wiresh
hark. For this lab, we are only
o
interested
d in displayin
ng ICMP (ping
g) PDUs. Type
e icmp in
the Filter box at the
e top of Wires
shark and pre
ess Enter or cclick on the Ap
pply button to
o view only IC
CMP
(ping)) PDUs.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

Pa
age 10 of 20

L
Lab - Using Wireshark
W
to View Netwo
ork Traffic
f.

This filter
f
causes all
a data in the top window to
o disappear, but you are sstill capturing the traffic on the
interfa
ace. Bring up the command prompt window that you opened earliier and ping th
he IP addresss that you
receiv
ved from yourr team membe
er. Notice tha
at you start se
eeing data appear in the to
op window of
Wires
shark again.

Note: If your team members PC

C does not re
eply to your pi ngs, this mayy be because their PC firew
wall is
blockiing these requests. Please
e see Append
dix A: Allowing
g ICMP Traffic Through a F
Firewall for in
nformation
ndows 7.
on ho
ow to allow ICMP traffic thro
ough the firew
wall using Win
g. Stop capturing
c
data by clicking the
t Stop Cap
pture icon.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

Pa
age 11 of 20

L
Lab - Using Wireshark
W
to View Netwo
ork Traffic

S
Step 3: Examine the captured
c
da
ata.
In Step 3, examine the
e data that wa
as generated by
b the ping re
equests of you
ur team mem
mbers PC. Wireshark
data is dis
splayed in three sections: 1)
1 The top se
ection displayss the list of PD
DU frames ca
aptured with a
summary of the IP pac
cket informatio
on listed, 2) th
he middle secction lists PDU
U information
n for the frame
e selected
in the top part of the sc
creen and sep
parates a cap
ptured PDU fra
ame by its prrotocol layers,, and 3) the b
bottom
section displays the raw
w data of eac
ch layer. The raw data is d isplayed in bo
oth hexadecim
mal and decim
mal form.

P request PDU
U frames in th
he top section
n of Wiresharrk. Notice thatt the Source ccolumn
a. Click the first ICMP
a
and the
t Destinatio
on contains th
he IP addresss of the teamm
mates PC you pinged.
has your PCs IP address,

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

Pa
age 12 of 20

L
Lab - Using Wireshark
W
to View Netwo
ork Traffic
b. With this
t
PDU fram
me still selecte
ed in the top section,
s
navig
gate to the miiddle section. Click the plus sign to
the left of the Ethernet II row to view the Des
stination and S
Source MAC addresses.

Does the Source MAC

M
address match your PCs
P
interface
e?
Yes, it does match with my PC interface.

Does the Destination MAC addrress in Wiresh

hark match th
he MAC addre
ess that of yo
our team mem
mbers?
Yes.

How is the MAC ad

ddress of the pinged PC obtained by yo
our PC?
Is obtained py ARP request sent from my PC
Note: In the preced
ding example
e of a captured
d ICMP reque
est, ICMP datta is encapsu
ulated inside a
an IPv4
packe
et PDU (IPv4 header) whic
ch is then enc
capsulated in a
an Ethernet II frame PDU (Ethernet II h
header)
for tra
ansmission on
n the LAN.

P
Part 3: Capture
C
and
a Analy
yze Remo
ote ICMP Data in W
Wireshark
k
In Part 3, you will ping remote hosts
s (hosts not on the LAN) an
nd examine th
he generated
d data from those
pings. You will then determine whatt is different about
a
this data
a from the data examined in Part 2.

S
Step 1: Sta
art capturing data on in
nterface.
a. Click the Interface
e List icon to bring up the list PC interfa
aces again.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

Pa
age 13 of 20

L
Lab - Using Wireshark
W
to View Netwo
ork Traffic
b. Make sure the che
eck box next to
o the LAN intterface is checcked, and the
en click Start.

c.

A window prompts to save the previously

p
cap
ptured data b
before starting
g another cap
pture. It is not
neces
ssary to save this data. Clic
ck Continue without Sav
ving.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

Pa
age 14 of 20

L
Lab - Using Wireshark
W
to View Netwo
ork Traffic
d. With the
t capture active, ping the
e following three website U
URLs:
1) www.yahoo.co
w
om
2) www.cisco.com
w
m
3) www.google.co
w
om

Note: When you ping the URLs listed, notice

e that the Dom
main Name Se
erver (DNS) ttranslates the
e URL to
an IP address. Notte the IP addrress received for each URL
L.
e. You can
c stop captu
uring data by clicking the Stop
S
Capture
e icon.

S
Step 2: Examining and analyzing
g the data frrom the rem
mote hosts.
a. Revie
ew the capture
ed data in Wireshark, exam
mine the IP an
nd MAC addrresses of the three location
ns that
you pinged. List the destination IP and MAC addresses fo
or all three loccations in the space provid
ded.
IP: 106.10.139.246

MAC: 00:0f:90:f1:fb:c9

nd

IP: 202.43.48.170

MAC: 00:0f:90:f1:fb:c9

rd

IP: 173.194.127.211

MAC: 00:0f:90:f1:fb:c9

1st Location:
2 Lo
ocation:
3 Lo
ocation:

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

Pa
age 15 of 20

L
Lab - Using Wireshark
W
to View Netwo
ork Traffic
b. What is significant about this infformation?
All locations have the same MAC address, my router MAC address.

c.

How does
d
this information differr from the loca
al ping inform
mation you recceived in Partt 2?
The information differs because the locations pinged are in different networks.

R
Reflection
Why does
s Wireshark show the actual MAC addre
ess of the loccal hosts, but not the actua
al MAC addresss for the
remote ho
osts?
Because the remote hosts are in different locations and we get the MAC address of our gateway (router).

A
Appendix A:
A Allowing
g ICMP Tra
affic Throu
ugh a Firew
wall
If the mem
mbers of yourr team are una
able to ping your
y
PC, the ffirewall may b
be blocking th
hose requestss. This
appendix describes ho
ow to create a rule in the firrewall to allow
w ping requessts. It also desscribes how to disable
the new IC
CMP rule afte
er you have co
ompleted the lab.

S
Step 1: Cre
eate a new inbound rule allowing ICMP traffi c through tthe firewall.
a. From the Control Panel,
P
click the System an
nd Security o
option.

a Security window,
w
click Windows Fiirewall.
b. From the System and

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

Pa
age 16 of 20

L
Lab - Using Wireshark
W
to View Netwo
ork Traffic
c.

In the
e left pane of the
t Windows Firewall wind
dow, click Adv
vanced settings.

d. On the Advanced Security

S
window, choose the Inbound R
Rules option on the left sid
debar and the
en click
New Rule
R
on the
e right sideba
ar.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

Pa
age 17 of 20

L
Lab - Using Wireshark
W
to View Netwo
ork Traffic
e. This launches the New Inbound
d Rule wizard. On the Rule
e Type screen
n, click the Cu
ustom radio b
button
c
Next
and click

f.

In the
e left pane, click the Protoc
col and Ports
s option and u
using the Pro
otocol type dro
op-down men
nu, select
ICMP
Pv4, and then click Next.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

Pa
age 18 of 20

L
Lab - Using Wireshark
W
to View Netwo
ork Traffic
g. In the
e left pane, click the Name option and in
n the Name fie
eld, type Allo
ow ICMP Req
quests. Click Finish.

This new
n
rule shou
uld allow yourr team membe
ers to receive
e ping replies from your PC
C.

S
Step 2: Dis
sabling or deleting
d
the new ICMP rule.
After the lab is complette, you may want
w
to disable or even dellete the new rrule you creatted in Step 1.. Using
the Disab
ble Rule optio
on allows you to enable the
e rule again a
at a later date. Deleting the
e rule permanently
deletes it from the list of
o Inbound Ru
ules.
a. On the Advanced Security
S
window, in the leftt pane, click IInbound Rule
es and then locate the rule
e you
create
ed in Step 1.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

Pa
age 19 of 20

L
Lab - Using Wireshark
W
to View Netwo
ork Traffic
b. To dis
sable the rule
e, click the Dis
sable Rule op
ption. When yyou choose th
his option, you will see thiss option
chang
ge to Enable Rule. You ca
an toggle back
k and forth be
etween Disab
ble Rule and E
Enable Rule; the
status
s of the rule also
a
shows in the Enabled column of the
e Inbound Rules list.

c.

To pe
ermanently de
elete the ICMP
P rule, click Delete.
D
If you choose this o
option, you must re-create the rule
again to allow ICMP replies.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

Pa
age 20 of 20