Lab Activity 1b - Use Wireshark To View Network Traffic
Lab Activity 1b - Use Wireshark To View Network Traffic
Topology
Objectives
▪ Part 1: Capture and Analyze Local ICMP Data in Wireshark
▪ Part 2: Capture and Analyze Remote ICMP Data in Wireshark
Background / Scenario
Wireshark is a software protocol analyzer, or “packet sniffer” application, used for
network troubleshooting, analysis, software and protocol development, and education. As
data streams travel back and forth over the network, the sniffer “captures” each protocol
data unit (PDU) and can decode and analyze its content according to the appropriate RFC
or other specifications.
Wireshark is a useful tool for anyone working with networks and can be used with most
labs in the CCNA courses for data analysis and troubleshooting. In this lab, you will use
Wireshark to capture ICMP data packet IP addresses and Ethernet frame MAC addresses.
Required Resources
▪ 1 PC (Windows with internet access)
▪ Additional PCs on a local-area network (LAN) will be used to reply to ping requests.
Instructions
b. Ask a team member or team members for their PC IP address and provide your PC
IP address to them.
c. This filter causes all data in the top window to disappear, but you are still
capturing the traffic on the interface. Navigate to a command prompt window and
ping the IP address that you received from your team member.
Note: If the PC of your team member does not reply to your pings, this may be because
the PC firewall of the team member is blocking these requests. Please see Appendix A:
Allowing ICMP Traffic Through a Firewall for information on how to allow ICMP traffic
through the firewall using Windows.
b. With this PDU frame still selected in the top section, navigate to the middle
section. Click the plus sign to the left of the Ethernet II row to view the destination
and source MAC addresses.
c. Does the source MAC address match your PC interface? Answer: _________
d. Does the destination MAC address in Wireshark match your team member MAC
address? Answer: ___________
d. You can stop capturing data by clicking the Stop Capture icon.
Step 2: Examining and analyzing the data from the remote hosts.
Review the captured data in Wireshark and examine the IP and MAC addresses of the
three locations that you pinged. List the destination IP and MAC addresses for all three
locations in the space provided.
www.yahoo.com www.cisco.com www.google.com
IP address
Mac Address
How does this information differ from the local ping information in Part-1 and remote
host ping information Part-2?
Why does Wireshark show the actual MAC address of the local hosts, but not the actual
MAC address for the remote hosts?
MAC addresses for remote hosts are not known on the local network, so the MAC
address of the default-gateway is used.
After the packet reaches the default-gateway router, the Layer 2 information is stripped
from the packet and a new Layer 2 header is attached with the destination MAC address
of the next hop router.
a. On the Advanced Security window, click Inbound Rules in the left pane and
then locate the rule you created previously.
b. Right-click the ICMP rule and select Disable Rule if so desired. You may also
select Delete if you want to permanently delete it. If you choose this option, you
must re-create the rule again to allow ICMP replies.