lab2 - using wireshark to examine ethernet frames
DESCRIPTION
Cisco Networking AcademyUsing Wireshark to Examine Ethernet FramesTRANSCRIPT
-
L
T
O
B
R
P
S
S
2013 Cisco and
Lab Us
Topology
ObjectivesPart 1: Ex
Part 2: Us
BackgrounWhen uppInterconneon the meEthernet,
When lealab, you wand analy
Required R 1 PC
Part 1: EIn Part 1, used to ex
Step 1: Re
Preambl
8 Bytes
Step 2: Ex
This PC h
d/or its affiliates.
sing Wir
xamine the H
se Wireshark
nd / Scenarper layer protoection (OSI) l
edia access tythen the Laye
rning about Lwill review theyze Ethernet I
Resources (Windows 7,
Examine tyou will examxamine the co
eview the Et
le Des
Ad
s 6
amine the n
host IP addres
All rights reserve
reshark
Header Fields
k to Capture
rio ocols commuayers and is ype. For examer 2 frame en
Layer 2 conce fields containI frame heade
Vista, or XP w
the Headmine the headontents in tho
thernet II he
stination ddress
Bytes
network con
ss is 10.20.16
ed. This docume
to Exam
s in an Ether
and Analyze
unicate with eaencapsulated
mple, if the upncapsulation w
epts, it is helpfned in an Ether fields for lo
with Internet a
er Fieldsder fields and ose fields.
eader field d
SourceAddress
6 Bytes
nfiguration
64.22 and the
ent is Cisco Publi
mine Eth
rnet II Frame
e Ethernet Fr
ach other, dad into a Layerpper layer prowill be Ethern
ful to analyzeernet II frame
ocal and remo
access with W
in an Ethcontent in an
descriptions
FramTyp
2 Byt
of the PC.
e default gatew
ic.
hernet F
e
rames
ata flows downr 2 frame. Theotocols are TCet II. This is t
e frame headee. In Part 2, yoote traffic.
Wireshark ins
hernet II Fn Ethernet II F
s and lengt
me pe
ytes 46
way has an IP
rames
n the Open Se frame compCP and IP andtypical for a LA
er informationou will use W
stalled)
Frame Frame. A Wire
ths.
Data
6 1500 Byte
P address of
Systems position is depd the media aAN environm
n. In the first pWireshark to ca
eshark captur
F
es 4 B
10.20.164.17
Page 1 of 7
pendent access is ent.
part of this apture
re will be
CS
Bytes
7.
-
L
S
S
Lab Using W
2013 Cisco and
Step 3: Ex
The Wiresdefault gasession band replie
Step 4: Ex
The followheader fie
Wireshark to
d/or its affiliates.
amine Ethe
shark captureateway. A filteegins with an
es.
amine the E
wing table takelds.
o Examine Et
All rights reserve
ernet frames
e below showser has been an ARP query f
Ethernet II h
es the first fra
thernet Fram
ed. This docume
s in a Wires
s the packetspplied to Wirefor the MAC a
header cont
ame in the W
mes
ent is Cisco Publi
shark captu
s generated beshark to viewaddress of the
tents of an A
ireshark capt
ic.
re.
y a ping beinw the ARP ane gateway rou
ARP reques
ure and displ
g issued fromnd ICMP protouter, followed
st.
ays the data
m a PC host toocols only. Th by four ping
in the Ethern
Page 2 of 7
o its he requests
et II
-
Lab Using Wireshark to Examine Ethernet Frames
2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 7
Field Value Description
Preamble Not shown in capture This field contains synchronizing bits, processed by the NIC hardware.
Destination Address Broadcast (ff:ff:ff:ff:ff:ff)
Layer 2 addresses for the frame. Each address is 48 bits long, or 6 octets, expressed as 12 hexadecimal digits, 0-9,A-F. A common format is 12:34:56:78:9A:BC. The first six hex numbers indicate the manufacturer of the network interface card (NIC), the last six hex numbers are the serial number of the NIC. The destination address may be a broadcast, which contains all ones, or a unicast. The source address is always unicast.
Source Address Dell_24:2a:60 (5c:26:0a:24:2a:60)
Frame Type 0x0806 For Ethernet II frames, this field contains a hexadecimal value that is used to indicate the type of upper-layer protocol in the data field. There are numerous upper-layer protocols supported by Ethernet II. Two common frame types are: Value Description 0x0800 IPv4 Protocol 0x0806 Address resolution protocol (ARP)
Data ARP Contains the encapsulated upper-level protocol. The data field is between 46 1,500 bytes.
FCS Not shown in capture Frame Check Sequence, used by the NIC to identify errors during transmission. The value is computed by the sending machine, encompassing frame addresses, type, and data field. It is verified by the receiver.
What is significant about the contents of the destination address field?
Why does the PC send out a broadcast ARP prior to sending the first ping request?
What is the MAC address of the source in the first frame?
What is the Vendor ID (OUI) of the Sources NIC?
What portion of the MAC address is the OUI?
What is the Sources NIC serial number?
Part 2: Use Wireshark to Capture and Analyze Ethernet Frames In Part 2, you will use Wireshark to capture local and remote Ethernet frames. You will then examine the information that is contained in the frame header fields.
-
L
S
S
S
Lab Using W
2013 Cisco and
Step 1: De
Open a co
What is th
Step 2: Sta
a. Open
b. On th
c. On thapprofor mo
d. Obse
Step 3: Filt
You can uof unwant
In the Wirgreen, clic
Wireshark to
d/or its affiliates.
etermine the
ommand prom
he IP Address
art capturin
Wireshark.
e Wireshark N
e Wireshark: opriate check ore informatio
rve the traffic
ter Wiresha
use the filter ited data; it on
reshark Filterck Apply to a
o Examine Et
All rights reserve
e IP address
mpt window a
s of the PC De
g traffic on
Network Anal
Capture Intebox, and then
on about each
that appears
ark to displa
n Wireshark tnly filters what
r box, type icmapply the filter
thernet Fram
ed. This docume
s of the defa
and issue the
efault Gatewa
your PCs
lyzer toolbar,
rfaces windown click Start. h interface list
s in the Packe
ay only ICM
to block visibit to display on
mp. The box r.
mes
ent is Cisco Publi
ault gatewa
ipconfig com
ay?
NIC.
click the Inte
w, select the If you are uncted.
et List window
MP traffic.
lity of unwantn the screen.
should turn g
ic.
ay on your P
mmand.
erface List ico
interface to scertain of wha
w.
ted traffic. ThFor now, only
green if you ty
PC.
on.
tart traffic capat interface to
e filter does ny ICMP traffic
yped the filter
pturing by clico check, click
not block the c is to be disp
correctly. If th
Page 4 of 7
cking the Details
capture played.
he box is
-
L
S
S
S
Lab Using W
2013 Cisco and
Step 4: Fro
From the
Step 5: Sto
Click the S
Step 6: Ex
The Wires(middle), aStep 3, Wfollowing e
a. In theunder
b. Examframe
c. The sdestin
What
What
d. You cEther
Wireshark to
d/or its affiliates.
om the com
command wi
op capturin
Stop Capture
amine the f
shark main wand the Pack
Wireshark shouexample.
e Packet List pr the Info hea
mine the first lie; 74 bytes in
second line in nation MAC a
is the MAC a
is the default
can click the pnet II frame. N
o Examine Et
All rights reserve
mmand prom
ndow, ping th
g traffic on
e icon to stop
first Echo (p
indow is dividket Bytes paneuld display th
pane (top secading. This sh
ne in the Pacthis example
the Packet Dddresses are
address of the
t gateways M
plus (+) sign aNotice that th
thernet Fram
ed. This docume
mpt window
he default gate
the NIC.
p capturing tra
ping) reque
ded into threee (bottom). If e ICMP inform
ction), click theould highlight
cket Details pa.
Details pane se also displaye
e PCs NIC?
MAC address?
at the beginnie plus sign ch
mes
ent is Cisco Publi
w, ping the d
eway using th
affic.
st in Wiresh
e sections: theyou selected mation in the
e first frame lt the line blue
ane (middle s
shows that it ised.
?
ng of the sechanges to a m
ic.
default gate
he IP address
hark.
e Packet List the correct inPacket List p
isted. You she.
section). This
s an Ethernet
cond line to obminus (-) sign
eway of you
s that you rec
pane (top), thnterface for ppane of Wires
hould see Ech
line displays
t II frame. The
btain more inf.
r PC.
corded in Step
he Packet Detacket capturi
shark, similar
ho (ping) req
the length of
e source and
formation abo
Page 5 of 7
p 1.
tails pane ng in to the
quest
f the
out the
-
L
S
Lab Using W
2013 Cisco and
What
e. The laNotice
What
What
f. You cPackesectio
What
g. Click destinas a r
What
Step 7: Re
Click the Swould likewithout S
Wireshark to
d/or its affiliates.
type of frame
ast two lines de that the dat
is the source
is the destina
can click any let Bytes paneon and examin
do the last tw
the next framnation MAC areply to the fir
device and M
estart packe
Start Capturee to save the pSaving.
o Examine Et
All rights reserve
e is displayed
displayed in ta contains the
e IP address?
ation IP addre
line in the mide (bottom sectne what is hig
wo highlighted
me in the top sddresses hav
rst ping.
MAC address
et capture in
e icon to startprevious capt
thernet Fram
ed. This docume
?
he middle sece source and
ess?
ddle section totion). Click thghlighted in th
d octets spell?
section and exve reversed, b
is displayed a
n Wireshark
t a new Wirestured packets
mes
ent is Cisco Publi
ction providedestination IP
o highlight thae Internet Co
he Packet Byt
?
xamine an Ecbecause this f
as the destina
k.
shark captures to a file befo
ic.
information aPv4 address
at part of the ontrol Messates pane.
cho reply framframe was se
ation address
e. You will recore starting a
about the datainformation.
frame (hex aage Protocol
me. Notice thaent from the d
s?
ceive a popupnew capture.
a field of the f
nd ASCII) in l line in the m
at the source default gatewa
p window aski Click Contin
Page 6 of 7
frame.
the iddle
and ay router
ing if you nue
-
L
S
S
S
R
Lab Using W
2013 Cisco and
Step 8: In t
Step 9: Sto
Step 10: Ex
In the first
Source: Destinati
What are
Source: Destinati
Compare destinatioremained
Reflection Wireshark
Wireshark to
d/or its affiliates.
the comma
op capturin
amine the n
t echo (ping)
on:
the source an
on:
these addreson IP address
the same?
k does not dis
o Examine Et
All rights reserve
nd prompt
g packets.
new data in
request frame
nd destination
sses to the ad. Why has the
splay the prea
thernet Fram
ed. This docume
window, pi
the packet
e, what are th
n IP addresse
ddresses you e destination
amble field of
mes
ent is Cisco Publi
ng www.cis
list pane o
he source and
es contained
received in SIP address ch
a frame head
ic.
sco.com.
of Wireshark
d destination
in the data fie
Step 7. The onhanged, while
der. What doe
k.
MAC address
eld of the fram
nly address the the destinat
es the pream
ses?
me?
hat changed ition MAC add
ble contain?
Page 7 of 7
is the dress
1: The destination address field contains 12 f's which means that it is a broadcast address.2: Because it does not know the MAC address of the desired host, broadcasting will send requests to every host connected to the network. The host that recognizes its IP address from the request replies back, sending its MAC address to the source.3: 84:34:97:7c:b5:5d4: 84:34:975: the first 3 bytes of the MAC address6: 7c:b5:5d7: 192.168.15.18: 68:94:23:cd:a6:2d9: 00:1f:fb:80:6b:fc10: IP (0x0800)11: 192.168.15.312: 192.168.15.113: hi14: HonHaiPr_cd:a6:2d (68:94:23:cd:a6:2d15: 68:94:23:cd:a6:2d16: 00:1f:fb:80:6b:fc17: 192.168.15.318: 23.36.102.14919: The destination IP address changed because we addressed the request to www.cisco.com, the destination MAC address remain unchanged because the request passes through the PC's default gateway.20: The the preamble contains 56 bits of alternating 1's and 0's. It alerts the receiver of an incoming frame and enables it to synchronize its input timing.