©

L

T

O

B

R

P

S

S

© 2013 Cisco and

Lab – Us

Topology

Objectives

Part 1: Ex

Part 2: Us

Backgroun

When uppInterconneon the meEthernet,

When lealab, you wand analy

Required R

1 PC

Part 1: E

In Part 1, used to ex

Step 1: Re

Preambl

8 Bytes

Step 2: Ex

This PC h

d/or its affiliates.

sing Wir

xamine the H

se Wireshark

nd / Scenar

per layer protoection (OSI) l

edia access tythen the Laye

rning about Lwill review theyze Ethernet I

Resources

(Windows 7,

Examine t

you will examxamine the co

eview the Et

le Des

Ad

s 6

amine the n

host IP addres

All rights reserve

reshark

Header Fields

k to Capture

rio

ocols commuayers and is ype. For examer 2 frame en

Layer 2 conce fields containI frame heade

Vista, or XP w

the Head

mine the headontents in tho

thernet II he

stination ddress

Bytes

network con

ss is 10.20.16

ed. This docume

to Exam

s in an Ether

and Analyze

unicate with eaencapsulated

mple, if the upncapsulation w

epts, it is helpfned in an Ether fields for lo

with Internet a

er Fields

der fields and ose fields.

eader field d

SourceAddress

6 Bytes

nfiguration

64.22 and the

ent is Cisco Publi

mine Eth

rnet II Frame

e Ethernet Fr

ach other, dad into a Layerpper layer prowill be Ethern

ful to analyzeernet II frame

ocal and remo

access with W

in an Eth

content in an

descriptions

FramTyp

2 Byt

of the PC.

e default gatew

ic.

hernet F

e

rames

ata flows downr 2 frame. Theotocols are TCet II. This is t

e frame headee. In Part 2, yoote traffic.

Wireshark ins

hernet II F

n Ethernet II F

s and lengt

me pe

ytes 46

way has an IP

rames

n the Open Se frame compCP and IP andtypical for a LA

er informationou will use W

stalled)

Frame

Frame. A Wire

ths.

Data

6 – 1500 Byte

P address of

Systems position is depd the media aAN environm

n. In the first pWireshark to ca

eshark captur

F

es 4 B

10.20.164.17

Page 1 of 7

pendent access is ent.

part of this apture

re will be

CS

Bytes

7.

L

©

S

S

Lab – Using W

© 2013 Cisco and

Step 3: Ex

The Wiresdefault gasession band replie

Step 4: Ex

The followheader fie

Wireshark to

d/or its affiliates.

amine Ethe

shark captureateway. A filteegins with an

es.

amine the E

wing table takelds.

o Examine Et

All rights reserve

ernet frames

e below showser has been an ARP query f

Ethernet II h

es the first fra

thernet Fram

ed. This docume

s in a Wires

s the packetspplied to Wirefor the MAC a

header cont

ame in the W

mes

ent is Cisco Publi

shark captu

s generated beshark to viewaddress of the

tents of an A

ireshark capt

ic.

re.

y a ping beinw the ARP ane gateway rou

ARP reques

ure and displ

g issued fromnd ICMP protouter, followed

st.

ays the data

m a PC host toocols only. Th by four ping

in the Ethern

Page 2 of 7

o its he requests

et II

Lab – Using Wireshark to Examine Ethernet Frames

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 7

Field Value Description

Preamble Not shown in capture This field contains synchronizing bits, processed by the NIC hardware.

Destination Address Broadcast (ff:ff:ff:ff:ff:ff)

Layer 2 addresses for the frame. Each address is 48 bits long, or 6 octets, expressed as 12 hexadecimal digits, 0-9,A-F. A common format is 12:34:56:78:9A:BC.

The first six hex numbers indicate the manufacturer of the network interface card (NIC), the last six hex numbers are the serial number of the NIC.

The destination address may be a broadcast, which contains all ones, or a unicast. The source address is always unicast.

Source Address Dell_24:2a:60 (5c:26:0a:24:2a:60)

Frame Type 0x0806 For Ethernet II frames, this field contains a hexadecimal value that is used to indicate the type of upper-layer protocol in the data field. There are numerous upper-layer protocols supported by Ethernet II. Two common frame types are:

Value Description

0x0800 IPv4 Protocol

0x0806 Address resolution protocol (ARP)

Data ARP Contains the encapsulated upper-level protocol. The data field is between 46 – 1,500 bytes.

FCS Not shown in capture Frame Check Sequence, used by the NIC to identify errors during transmission. The value is computed by the sending machine, encompassing frame addresses, type, and data field. It is verified by the receiver.

What is significant about the contents of the destination address field?

Why does the PC send out a broadcast ARP prior to sending the first ping request?

What is the MAC address of the source in the first frame?

What is the Vendor ID (OUI) of the Source’s NIC?

What portion of the MAC address is the OUI?

What is the Source’s NIC serial number?

Part 2: Use Wireshark to Capture and Analyze Ethernet Frames

In Part 2, you will use Wireshark to capture local and remote Ethernet frames. You will then examine the information that is contained in the frame header fields.

L

©

S

S

S

Lab – Using W

© 2013 Cisco and

Step 1: De

Open a co

What is th

Step 2: Sta

a. Open

b. On th

c. On thapprofor mo

d. Obse

Step 3: Filt

You can uof unwant

In the Wirgreen, clic

Wireshark to

d/or its affiliates.

etermine the

ommand prom

he IP Address

art capturin

Wireshark.

e Wireshark N

e Wireshark: opriate check ore informatio

rve the traffic

ter Wiresha

use the filter ited data; it on

reshark Filterck Apply to a

o Examine Et

All rights reserve

e IP address

mpt window a

s of the PC De

g traffic on

Network Anal

Capture Intebox, and then

on about each

that appears

ark to displa

n Wireshark tnly filters what

r box, type icmapply the filter

thernet Fram

ed. This docume

s of the defa

and issue the

efault Gatewa

your PC’s

lyzer toolbar,

rfaces windown click Start. h interface list

s in the Packe

ay only ICM

to block visibit to display on

mp. The box r.

mes

ent is Cisco Publi

ault gatewa

ipconfig com

ay?

NIC.

click the Inte

w, select the If you are uncted.

et List window

MP traffic.

lity of unwantn the screen.

should turn g

ic.

ay on your P

mmand.

erface List ico

interface to scertain of wha

w.

ted traffic. ThFor now, only

green if you ty

PC.

on.

tart traffic capat interface to

e filter does ny ICMP traffic

yped the filter

pturing by clico check, click

not block the c is to be disp

correctly. If th

Page 4 of 7

cking the Details

capture played.

he box is

L

©

S

S

S

Lab – Using W

© 2013 Cisco and

Step 4: Fro

From the

Step 5: Sto

Click the S

Step 6: Ex

The Wires(middle), aStep 3, Wfollowing e

a. In theunder

b. Examframe

c. The sdestin

What

What

d. You cEther

Wireshark to

d/or its affiliates.

om the com

command wi

op capturin

Stop Capture

amine the f

shark main wand the Pack

Wireshark shouexample.

e Packet List pr the Info hea

mine the first lie; 74 bytes in

second line in nation MAC a

is the MAC a

is the default

can click the pnet II frame. N

o Examine Et

All rights reserve

mmand prom

ndow, ping th

g traffic on

e icon to stop

first Echo (p

indow is dividket Bytes paneuld display th

pane (top secading. This sh

ne in the Pacthis example

the Packet Dddresses are

address of the

t gateway’s M

plus (+) sign aNotice that th

thernet Fram

ed. This docume

mpt window

he default gate

the NIC.

p capturing tra

ping) reque

ded into threee (bottom). If e ICMP inform

ction), click theould highlight

cket Details pa.

Details pane se also displaye

e PC’s NIC?

MAC address?

at the beginnie plus sign ch

mes

ent is Cisco Publi

w, ping the d

eway using th

affic.

st in Wiresh

e sections: theyou selected mation in the

e first frame lt the line blue

ane (middle s

shows that it ised.

?

ng of the sechanges to a m

ic.

default gate

he IP address

hark.

e Packet List the correct inPacket List p

isted. You she.

section). This

s an Ethernet

cond line to obminus (-) sign

eway of you

s that you rec

pane (top), thnterface for ppane of Wires

hould see Ech

line displays

t II frame. The

btain more inf.

r PC.

corded in Step

he Packet Detacket capturi

shark, similar

ho (ping) req

the length of

e source and

formation abo

Page 5 of 7

p 1.

tails pane ng in to the

quest

f the

out the

L

©

S

Lab – Using W

© 2013 Cisco and

What

e. The laNotice

What

What

f. You cPackesectio

What

g. Click destinas a r

What

Step 7: Re

Click the Swould likewithout S

Wireshark to

d/or its affiliates.

type of frame

ast two lines de that the dat

is the source

is the destina

can click any let Bytes paneon and examin

do the last tw

the next framnation MAC areply to the fir

device and M

estart packe

Start Capturee to save the pSaving.

o Examine Et

All rights reserve

e is displayed

displayed in ta contains the

e IP address?

ation IP addre

line in the mide (bottom sectne what is hig

wo highlighted

me in the top sddresses hav

rst ping.

MAC address

et capture in

e icon to startprevious capt

thernet Fram

ed. This docume

?

he middle sece source and

ess?

ddle section totion). Click thghlighted in th

d octets spell?

section and exve reversed, b

is displayed a

n Wireshark

t a new Wirestured packets

mes

ent is Cisco Publi

ction providedestination IP

o highlight thae Internet Co

he Packet Byt

?

xamine an Ecbecause this f

as the destina

k.

shark captures to a file befo

ic.

information aPv4 address

at part of the ontrol Messates pane.

cho reply framframe was se

ation address

e. You will recore starting a

about the datainformation.

frame (hex aage Protocol

me. Notice thaent from the d

s?

ceive a popupnew capture.

a field of the f

nd ASCII) in l line in the m

at the source default gatewa

p window aski Click Contin

Page 6 of 7

frame.

the iddle

and ay router

ing if you nue

L

©

S

S

S

R

Lab – Using W

© 2013 Cisco and

Step 8: In t

Step 9: Sto

Step 10: Ex

In the first

Source:

Destinati

What are

Source:

Destinati

Compare destinatioremained

Reflection

Wireshark

Wireshark to

d/or its affiliates.

the comma

op capturin

amine the n

t echo (ping)

on:

the source an

on:

these addreson IP address

the same?

k does not dis

o Examine Et

All rights reserve

nd prompt

g packets.

new data in

request frame

nd destination

sses to the ad. Why has the

splay the prea

thernet Fram

ed. This docume

window, pi

the packet

e, what are th

n IP addresse

ddresses you e destination

amble field of

mes

ent is Cisco Publi

ng www.cis

list pane o

he source and

es contained

received in SIP address ch

a frame head

ic.

sco.com.

of Wireshark

d destination

in the data fie

Step 7. The onhanged, while

der. What doe

k.

MAC address

eld of the fram

nly address the the destinat

es the pream

ses?

me?

hat changed ition MAC add

ble contain?

Page 7 of 7

is the dress