L

Lab - Us
sing Wireshark to
t View Network
k Traffic
c (Instrucctor Verssion)
Instructor No
ote: Red font color or Gray
y highlights ind
dicate text tha
at appears in the instructor copy only.

T
Topology

O
Objectives
Part 1: (O
Optional) Dow
wnload and Install
I
Wireshark
Part 2: Ca
apture and Analyze
A
Loca
al ICMP Data in Wiresharrk

Start and stop data

a capture of ping
p
traffic to local hosts.

Locatte the IP and MAC address

s information in captured P
PDUs.

Part 3: Ca
apture and Analyze
A
Remote ICMP Da
ata in Wiresh
hark

Start and stop data

a capture of ping
p
traffic to remote
r
hosts .

Locatte the IP and MAC address

s information in captured P
PDUs.

Expla
ain why MAC addresses for remote hostts are differen
nt than the MA
AC addressess of local hossts.

B
Backgroun
nd / Scenarrio
Wireshark
k is a software
e protocol ana
alyzer, or "pa
acket sniffer" a
application, used for netwo
ork troublesho
ooting,
As data strea
analysis, software
s
and protocol deve
elopment, and education. A
ams travel back and forth o
over the
network, the
t sniffer "ca
aptures" each protocol data
a unit (PDU) a
and can deco
ode and analyyze its conten
nt
according
g to the appropriate RFC or other speciffications.
Wireshark
k is a useful to
ool for anyone
e working with networks a nd can be used with most labs in the CCNA
ading and insstalling
courses fo
or data analys
sis and troublleshooting. Th
his lab provid
des instruction
ns for downloa
Wireshark
k, although it may already be installed. In
I this lab, yo
ou will use Wirreshark to capture ICMP d
data
packet IP addresses and Ethernet frrame MAC ad
ddresses.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

P
Page 1 of 20

L
Lab - Using Wireshark
W
to View Netwo
ork Traffic

R
Required Resources
R

1 PC (Windows 7, Vista, or XP with

w Internet access)
a

Additional PC(s) on
n a local-area
a network (LA
AN) will be use
ed to reply to ping requestts.

Instructo
or Note: This lab
l assumes that the stude
ent is using a PC with Inte
ernet access a
and can ping other
PCs on th
he local area network.
n
If us
sing academy
y PCs, then th
he instructor m
may wish to p
pre-install Wire
eshark on
the PCs and
a advise the
e students to read through Part 1 and p
perform Parts 2 and 3 of the lab. Wiresh
hark
installation procedure and
a screensh
hots may chan
nge dependin
ng on Wiresha
ark version. T
This lab is usin
ng
Wireshark
k v1.8.3 for Windows
W
7 (64
4-bit).
Using a packet sniffer such
s
as Wireshark may be
e considered a breach of th
he security po
olicy of the scchool. It is
recommended that perrmission is ob
btained before
e running Wire
eshark for this lab. If using
g a packet sniiffer such
as Wiresh
hark is an issu
ue, the instruc
ctor may wish
h to assign the
e lab as home
ework or perfform a walk-th
hrough
demonstra
ation.

P
Part 1: (O
Optional)) Download and In
nstall Wirreshark
Wireshark
k has become
e the industry standard pac
cket-sniffer prrogram used by network engineers. Thiis open
source so
oftware is available for man
ny different op
perating syste
ems, including
g Windows, M
Mac, and Linu
ux. In Part
1 of this la
ab, you will do
ownload and install the Wireshark softw
ware program on your PC.
Note: If Wireshark
W
is already installe
ed on your PC
C, you can skkip Part 1 and
d go directly to
o Part 2. If Wiireshark
is not installed on your PC, check with
w your instru
uctor about yo
our academys software do
ownload policcy.

S
Step 1: Do
ownload Wirreshark.
a. Wires
shark can be downloaded
d
from
f
www.wirreshark.org.
b. Click Download Wireshark.
W

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

P
Page 2 of 20

L
Lab - Using Wireshark
W
to View Netwo
ork Traffic
c.

Choose the softwa

are version yo
ou need based
d on your PC
Cs architecturre and operatiing system. F
For
nce, if you hav
ve a 64-bit PC
C running Win
ndows, choosse Windows Installer (64--bit).
instan

After making a sele

ection, the do
ownload should start. The llocation of the
e downloaded
d file dependss on the
brows
ser and opera
ating system that
t
you use. For Windowss users, the default location
n is the Down
nloads
folderr.

S
Step 2: Ins
stall Wireshark.
a. The downloaded
d
file is named Wireshark-wi
W
in64-x.x.x.ex
xe, where x re
epresents the
e version num
mber.
Double-click the file
e to start the installation prrocess.
ond to any se
ecurity messa
ages that may
y display on yo
our screen. Iff you already have a copy of
b. Respo
Wires
shark on your PC, you will be prompted to uninstall th
he old version
n before insta
alling the new version.
It is re
ecommended that you rem
move the old version
v
of Wirreshark prior tto installing another versio
on. Click
Yes to
o uninstall the
e previous version of Wires
shark.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

P
Page 3 of 20

L
Lab - Using Wireshark
W
to View Netwo
ork Traffic
c.

If this is the first tim

me to install Wireshark,
W
or after
a
you havve completed the uninstall process, you will
p wizard. Click Next.
navigate to the Wirreshark Setup

nue advancin
ng through the
e installation process.
p
Clickk I Agree whe
en the Licensse Agreementt window
d. Contin
displa
ays.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

P
Page 4 of 20

L
Lab - Using Wireshark
W
to View Netwo
ork Traffic
e. Keep the default se
ettings on the
e Choose Com
mponents win
ndow and clicck Next.

f.

Choose your desired shortcut options and cliick Next.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

P
Page 5 of 20

L
Lab - Using Wireshark
W
to View Netwo
ork Traffic
g. You can
c change th
he installation location of Wireshark,
W
butt unless you h
have limited d
disk space, it is
recom
mmended thatt you keep the
e default loca
ation.

h. To ca
apture live nettwork data, WinPcap
W
must be installed o
on your PC. If WinPcap is already insta
alled on
nstalled versiion of WinPca
your PC,
P the Install check box will
w be unchec
cked. If your in
ap is older tha
an the
versio
on that comes
s with Wiresha
ark, it is recom
mmend that yyou allow the newer versio
on to be installled by
clickin
ng the Install WinPcap x.x
x.x (version number)
n
checck box.
i.

Finish
h the WinPcap
p Setup Wiza
ard if installing
g WinPcap.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

P
Page 6 of 20

L
Lab - Using Wireshark
W
to View Netwo
ork Traffic
j.

Wires
shark starts in
nstalling its file
es and a sepa
arate window displays with
h the status off the installatiion. Click
Next when the insttallation is complete.

k.

Click Finish to com

mplete the Wireshark insta
all process.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

P
Page 7 of 20

L
Lab - Using Wireshark
W
to View Netwo
ork Traffic

P
Part 2: Capture
C
and
a Analy
yze Local ICMP Da
ata in Wirreshark
In Part 2 of
o this lab, you will ping another PC on the
t LAN and capture ICMP
P requests an
nd replies in
Wireshark
k. You will als
so look inside the frames captured for sp
pecific inform
mation. This an
nalysis should
d help to
clarify how
w packet head
ders are used
d to transport data to their destination.

S
Step 1: Re
etrieve your PCs interfface addresses.
d its network interface card
For this la
ab, you will ne
eed to retrieve
e your PCs IP
P address and
d (NIC) physiical
address, also
a
called the MAC addre
ess.
a. Open a command window, type
e ipconfig /all, and then prress Enter.
b. Note your
y
PC interrfaces IP add
dress and MA
AC (physical) a
address.

c.

Ask a team membe

er for their PC
Cs IP address
s and provide
e your PCs IP
P address to tthem. Do not provide
them with your MA
AC address att this time.

S
Step 2: Sta
art Wireshark and begiin capturing
g data.
a. On yo
our PC, click the
t Windows Start button to see Wiresh
hark listed ass one of the prrograms on th
he pop-up
menu. Double-click
k Wireshark.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

P
Page 8 of 20

L
Lab - Using Wireshark
W
to View Netwo
ork Traffic
b. After Wireshark
W
sta
arts, click Inte
erface List.

Note: Clicking the first interface

e icon in the ro
ow of icons allso opens the
e Interface Lisst.
c.

On the Wireshark: Capture Interfaces window

w, click the ch
heck box nexxt to the interfa
ace connecte
ed to your
LAN.

u are unsure w
which interfacce to check, cclick the Deta
ails
Note: If multiple intterfaces are listed and you
n, and then click the 802.3 (Ethernet) ta
ab. Verify tha
at the MAC ad
ddress matche
es what you n
noted in
button
Step 1b. Close the
e Interface De
etails window after verifying
g the correct iinterface.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

P
Page 9 of 20

L
Lab - Using Wireshark
W
to View Netwo
ork Traffic
d. After you
y have che
ecked the corrrect interface, click Start to
o start the data capture.

Inform
mation will sta
art scrolling do
own the top section in Wire
eshark. The d
data lines will appear in diff
fferent
colors
s based on prrotocol.

e. This information ca
an scroll by ve
ery quickly de
epending on w
what commun
nication is takking place bettween
P and the LA
AN. We can apply
a
a filter to
t make it eassier to view an
nd work with the data that is being
your PC
captured by Wiresh
hark. For this lab, we are only
o
interested
d in displayin
ng ICMP (ping
g) PDUs. Type
e icmp in
the Filter box at the
e top of Wires
shark and pre
ess Enter or cclick on the Ap
pply button to
o view only IC
CMP
(ping)) PDUs.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

Pa
age 10 of 20

L
Lab - Using Wireshark
W
to View Netwo
ork Traffic
f.

This filter
f
causes all
a data in the top window to
o disappear, but you are sstill capturing the traffic on the
interfa
ace. Bring up the command prompt window that you opened earliier and ping th
he IP addresss that you
receiv
ved from yourr team membe
er. Notice tha
at you start se
eeing data appear in the to
op window of
Wires
shark again.

Note: If your team members PC

C does not re
eply to your pi ngs, this mayy be because their PC firew
wall is
blockiing these requests. Please
e see Append
dix A: Allowing
g ICMP Traffic Through a F
Firewall for in
nformation
ndows 7.
on ho
ow to allow ICMP traffic thro
ough the firew
wall using Win
g. Stop capturing
c
data by clicking the
t Stop Cap
pture icon.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

Pa
age 11 of 20

L
Lab - Using Wireshark
W
to View Netwo
ork Traffic

S
Step 3: Examine the captured
c
da
ata.
In Step 3, examine the
e data that wa
as generated by
b the ping re
equests of you
ur team mem
mbers PC. Wireshark
data is dis
splayed in three sections: 1)
1 The top se
ection displayss the list of PD
DU frames ca
aptured with a
summary of the IP pac
cket informatio
on listed, 2) th
he middle secction lists PDU
U information
n for the frame
e selected
in the top part of the sc
creen and sep
parates a cap
ptured PDU fra
ame by its prrotocol layers,, and 3) the b
bottom
section displays the raw
w data of eac
ch layer. The raw data is d isplayed in bo
oth hexadecim
mal and decim
mal form.

P request PDU
U frames in th
he top section
n of Wiresharrk. Notice thatt the Source ccolumn
a. Click the first ICMP
a
and the
t Destinatio
on contains th
he IP addresss of the teamm
mates PC you pinged.
has your PCs IP address,

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

Pa
age 12 of 20

L
Lab - Using Wireshark
W
to View Netwo
ork Traffic
b. With this
t
PDU fram
me still selecte
ed in the top section,
s
navig
gate to the miiddle section. Click the plus sign to
the left of the Ethernet II row to view the Des
stination and S
Source MAC addresses.

Does the Source MAC

M
address match your PCs
P
interface
e? ______ Ye
es
Does the Destination MAC addrress in Wiresh
hark match th
he MAC addre
ess that of yo
our team mem
mbers?
_____
_ Yes
How is the MAC ad
ddress of the pinged PC obtained by yo
our PC?
_____
___________
___________
____________
___________
___________
____________
____________
_______
The MAC
M
address is obtained th
hrough an AR
RP request.
Note: In the preced
ding example
e of a captured
d ICMP reque
est, ICMP datta is encapsu
ulated inside a
an IPv4
packe
et PDU (IPv4 header) whic
ch is then enc
capsulated in a
an Ethernet II frame PDU (Ethernet II h
header)
for tra
ansmission on
n the LAN.

P
Part 3: Capture
C
and
a Analy
yze Remo
ote ICMP Data in W
Wireshark
k
In Part 3, you will ping remote hosts
s (hosts not on the LAN) an
nd examine th
he generated
d data from those
pings. You will then determine whatt is different about
a
this data
a from the data examined in Part 2.

S
Step 1: Sta
art capturing data on in
nterface.
a. Click the Interface
e List icon to bring up the list PC interfa
aces again.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

Pa
age 13 of 20

L
Lab - Using Wireshark
W
to View Netwo
ork Traffic
b. Make sure the che
eck box next to
o the LAN intterface is checcked, and the
en click Start.

c.

A window prompts to save the previously

p
cap
ptured data b
before starting
g another cap
pture. It is not
neces
ssary to save this data. Clic
ck Continue without Sav
ving.

d. With the
t capture active, ping the
e following three website U
URLs:
1) www.yahoo.co
w
om
2) www.cisco.com
w
m
3) www.google.co
w
om

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

Pa
age 14 of 20

L
Lab - Using Wireshark
W
to View Netwo
ork Traffic

Note: When you ping the URLs listed, notice

e that the Dom
main Name Se
erver (DNS) ttranslates the
e URL to
an IP address. Notte the IP addrress received for each URL
L.
e. You can
c stop captu
uring data by clicking the Stop
S
Capture
e icon.

S
Step 2: Examining and analyzing
g the data frrom the rem
mote hosts.
a. Revie
ew the capture
ed data in Wireshark, exam
mine the IP an
nd MAC addrresses of the three location
ns that
you pinged. List the destination IP and MAC addresses fo
or all three loccations in the space provid
ded.
1st Location:

IP: _____.____
__._____.____
__ MAC: ___
__:____:____:____:____:_
____

nd

IP: _____.____
__._____.____
__ MAC: ___
__:____:____:____:____:_
____

rd

IP: _____.____
__._____.____
__ MAC: ___
__:____:____:____:____:_
____

ocation:
2 Lo
3 Lo
ocation:

IP add
dresses: 72.3
30.38.140, 192.133.219.25
5, 74.125.129 .99 (these IP addresses m
may vary)
MAC address: This
s will be the same
s
for all th
hree locationss. It is the phyysical addresss of the routerrs
default-gateway LA
AN interface.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

Pa
age 15 of 20

L
Lab - Using Wireshark
W
to View Netwo
ork Traffic
b. What is significant about this infformation?
_____
___________
___________
____________
___________
___________
____________
____________
________
The MAC
M
addresse
es for all three
e locations arre the same.
c.

How does
d
this information differr from the loca
al ping inform
mation you recceived in Partt 2?
_____
___________
___________
____________
___________
___________
____________
____________
________
_____
___________
___________
____________
___________
___________
____________
____________
________
A ping
g to a local ho
ost returns the
e MAC addre
ess of the PC s NIC. A ping
g to a remote host returns the MAC
addre
ess of the defa
ault gateways
s LAN interface.

R
Reflection
Why does
s Wireshark show the actual MAC addre
ess of the loccal hosts, but not the actua
al MAC addresss for the
remote ho
osts?
________
___________
____________
___________
___________
____________
____________
___________
________
________
___________
____________
___________
___________
____________
____________
___________
________
MAC addresses for rem
mote hosts arre not known on the local n
network, so th
he MAC addre
ess of the deffaultgateway is used. After the packet re
eaches the de
efault-gatewayy router, the llayer 2 inform
mation is stripp
ped from
the packe
et and a new Layer
L
2 heade
er is attached
d with the desstination MAC
C address of the next hop rrouter.

A
Appendix A:
A Allowing
g ICMP Tra
affic Throu
ugh a Firew
wall
If the mem
mbers of yourr team are una
able to ping your
y
PC, the ffirewall may b
be blocking th
hose requestss. This
appendix describes ho
ow to create a rule in the firrewall to allow
w ping requessts. It also desscribes how to disable
the new IC
CMP rule afte
er you have co
ompleted the lab.

S
Step 1: Cre
eate a new inbound rule allowing ICMP traffi c through tthe firewall.
a. From the Control Panel,
P
click the System an
nd Security o
option.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

Pa
age 16 of 20

L
Lab - Using Wireshark
W
to View Netwo
ork Traffic
b. From the System and
a Security window,
w
click Windows Fiirewall.

c.

In the
e left pane of the
t Windows Firewall wind
dow, click Adv
vanced settings.

d. On the Advanced Security

S
window, choose the Inbound R
Rules option on the left sid
debar and the
en click
New Rule
R
on the
e right sideba
ar.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

Pa
age 17 of 20

L
Lab - Using Wireshark
W
to View Netwo
ork Traffic
e. This launches the New Inbound
d Rule wizard. On the Rule
e Type screen
n, click the Cu
ustom radio b
button
c
Next
and click

f.

In the
e left pane, click the Protoc
col and Ports
s option and u
using the Pro
otocol type dro
op-down men
nu, select
ICMP
Pv4, and then click Next.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

Pa
age 18 of 20

L
Lab - Using Wireshark
W
to View Netwo
ork Traffic
g. In the
e left pane, click the Name option and in
n the Name fie
eld, type Allo
ow ICMP Req
quests. Click Finish.

This new
n
rule shou
uld allow yourr team membe
ers to receive
e ping replies from your PC
C.

S
Step 2: Dis
sabling or deleting
d
the new ICMP rule.
After the lab is complette, you may want
w
to disable or even dellete the new rrule you creatted in Step 1.. Using
the Disab
ble Rule optio
on allows you to enable the
e rule again a
at a later date. Deleting the
e rule permanently
deletes it from the list of
o Inbound Ru
ules.
a. On the Advanced Security
S
window, in the leftt pane, click IInbound Rule
es and then locate the rule
e you
create
ed in Step 1.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

Pa
age 19 of 20

L
Lab - Using Wireshark
W
to View Netwo
ork Traffic
b. To dis
sable the rule
e, click the Dis
sable Rule op
ption. When yyou choose th
his option, you will see thiss option
chang
ge to Enable Rule. You ca
an toggle back
k and forth be
etween Disab
ble Rule and E
Enable Rule; the
status
s of the rule also
a
shows in the Enabled column of the
e Inbound Rules list.

c.

To pe
ermanently de
elete the ICMP
P rule, click Delete.
D
If you choose this o
option, you must re-create the rule
again to allow ICMP replies.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic.

Pa
age 20 of 20