Experiment-4

Objective: Use Wireshark to View Network Traffic.

Topology

Objectives
Part 1: Capture and Analyze Local ICMP Data in Wireshark
Part 2: Capture and Analyze Remote ICMP Data in Wireshark

Background / Scenario
Wireshark is a software protocol analyzer, or "packet sniffer" application, used for network troubleshooting, analysis,
software and protocol development, and education. As data streams travel back and forth over the network, the sniffer
"captures" each protocol data unit (PDU) and can decode and analyze its content according to the appropriate RFC or
other specifications.
Wireshark is a useful tool for anyone working with networks and can be used with most labs in the CCNA courses for
data analysis and troubleshooting. In this lab, you will use Wireshark to capture ICMP data packet IP addresses and
Ethernet frame MAC addresses.

Required Resources
 1 PC (Windows with internet access)
 Additional PCs on a local-area network (LAN) will be used to reply to ping requests.

Instructions

Part 1: Capture and Analyze Local ICMP Data in Wireshark

In Part 1 of this lab, you will ping another PC on the LAN and capture ICMP requests and replies in Wireshark. You will
also look inside the frames captured for specific information. This analysis should help to clarify how packet headers are
used to transport data to their destination.
[Title]

Step 1: Retrieve your PC interface addresses.

For this lab, you will need to retrieve your PC IP address and its network interface card (NIC) physical address, also
called the MAC address.
Open a Windows command prompt.

a. In a command prompt window, enter ipconfig /all, to the IP address of your PC interface, its description, and its
MAC (physical) address.
C:\Users\Student> ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : DESKTOP-NB48BTC

Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel(R) 82577LM Gigabit Network Connection
Physical Address. . . . . . . . . :00-26-B9-DD-00-91
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::d809:d939:110f:1b7f%20(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.147(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
<output omitted>
b. Ask a team member or team members for their PC IP address and provide your PC IP address to them. Do not
provide them with your MAC address at this time.
Close a Windows Command Prompt.

Step 2: Start Wireshark and begin capturing data.

a. Navigate to Wireshark. Double-click the desired interface to start the packet capture. Make sure the desired interface
has traffic.
b. Information will start scrolling down the top section in Wireshark. The data lines will appear in different colors
based on protocol.
This information can scroll by very quickly depending on what communication is taking place between your PC and
the LAN. We can apply a filter to make it easier to view and work with the data that is being captured by Wireshark.
For this lab, we are only interested in displaying ICMP (ping) PDUs. Type icmp in the Filter box at the top of
Wireshark and press Enter, or click the Apply button (arrow sign) to view only ICMP (ping) PDUs.
c. This filter causes all data in the top window to disappear, but you are still capturing the traffic on the interface.
Navigate to a command prompt window and ping the IP address that you received from your team member.
C:\> ping 192.168.1.114

Pinging 192.168.1.114 with 32 bytes of data:

Reply from 192.168.1.114: bytes=32 time<1ms TTL=128

-
[Title]

Reply from 192.168.1.114: bytes=32 time<1ms TTL=128

Reply from 192.168.1.114: bytes=32 time<1ms TTL=128
Reply from 192.168.1.114: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.1.114:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Notice that you start seeing data appear in the top window of Wireshark again.

Note: If the PC of your team member does not reply to your pings, this may be because the PC firewall of the team
member is blocking these requests. Please see Error: Reference source not found for information on how to allow
ICMP traffic through the firewall using Windows.
d. Stop capturing data by clicking the Stop Capture icon.

Step 3: Examine the captured data.

In Step 3, examine the data that was generated by the ping requests of your team member PC. Wireshark data is
displayed in three sections: 1) The top section displays the list of PDU frames captured with a summary of the IP packet
information listed; 2) the middle section lists PDU information for the frame selected in the top part of the screen and
separates a captured PDU frame by its protocol layers; and 3) the bottom section displays the raw data of each layer. The
raw data is displayed in both hexadecimal and decimal form.

-
[Title]

a. Click the first ICMP request PDU frames in the top section of Wireshark. Notice that the Source column has your
PC IP address, and the Destination column contains the IP address of the teammate PC that you pinged.
b. With this PDU frame still selected in the top section, navigate to the middle section. Click the plus sign to the left of
the Ethernet II row to view the destination and source MAC addresses.
Questions:

Does the source MAC address match your PC interface?

Type your answers here.
Yes
Does the destination MAC address in Wireshark match your team member MAC address?
Type your answers here.
Yes
How is the MAC address of the pinged PC obtained by your PC?
Type your answers here.
The MAC address is obtained through an ARP request.
Note: In the preceding example of a captured ICMP request, ICMP data is encapsulated inside an IPv4 packet PDU
(IPv4 header) which is then encapsulated in an Ethernet II frame PDU (Ethernet II header) for transmission on the
LAN.

Part 2: Capture and Analyze Remote ICMP Data in Wireshark

In Part 2, you will ping remote hosts (hosts not on the LAN) and examine the generated data from those pings. You will
then determine what is different about this data from the data examined in Part 1.

Step 1: Start capturing data on the interface.

a. Start the data capture again.
b. A window prompts you to save the previously captured data before starting another capture. It is not necessary to
save this data. Click Continue without Saving.
c. With the capture active, ping the following three website URLs from a Windows command prompt:
Open a Windows command prompt

1) www.yahoo.com
2) www.cisco.com
3) www.google.com
Note: When you ping the URLs listed, notice that the Domain Name Server (DNS) translates the URL to an IP
address. Note the IP address received for each URL.
d. You can stop capturing data by clicking the Stop Capture icon.

Step 2: Examining and analyzing the data from the remote hosts.
Review the captured data in Wireshark and examine the IP and MAC addresses of the three locations that you pinged.
List the destination IP and MAC addresses for all three locations in the space provided.
Questions:

IP address for www.yahoo.com:

Type your answers here.
MAC address for www.yahoo.com:
Type your answers here.

-
[Title]

IP address for www.cisco.com:

Type your answers here.
MAC address for www.cisco.com:
Type your answers here.
IP address for www.google.com:
Type your answers here.
MAC address for www.google.com:
Type your answers here.
P addresses: 98.137.246.7, 96.7.79.147, 172.217.14.100 (these IP addresses may vary)
AC address: This will be the same for all three locations. It is the physical address of the default-gateway
LAN interface of the router.
What is significant about this information?
Type your answers here.
The MAC addresses for all three locations are the same.
How does this information differ from the local ping information you received in Part 1?
Type your answers here.
A ping to a local host returns the MAC address of the PC NIC. A ping to a remote host returns the MAC
address of the default gateway LAN interface.
Close the Windows command prompt

Reflection Question
Why does Wireshark show the actual MAC address of the local hosts, but not the actual MAC address for the remote
hosts?
MAC addresses for remote hosts are not known on the local network, so the MAC address of the default-gateway
is used. After the packet reaches the default-gateway router, the Layer 2 information is stripped from the packet
and a new Layer 2 header is attached with the destination MAC address of the next hop router.

Part 1: Create a new inbound rule allowing ICMP traffic through the firewall.
a. Navigate to the Control Panel and click the System and Security option in the Category view.
b. In the System and Security window, click Windows Defender Firewall or Windows Firewall.
c. In the left pane of the Windows Defender Firewall or Windows Firewall window, click advanced settings.
d. On the Advanced Security window, click the Inbound Rules option on the left sidebar and then click New Rule…
on the right sidebar.
e. This launches the New Inbound Rule wizard. On the Rule Type screen, click the Custom radio button and click
next.
f. In the left pane, click the Protocol and Ports option and using the Protocol Type drop-down menu, select
ICMPv4, and then click next.
g. Verify that Any IP address for both the local and remote IP addresses are selected. Click Next to continue.
h. Select allow the connection. Click Next to continue.
i. By default, this rule applies to all the profiles. Click Next to continue.

-
[Title]

j. Name the rule with Allow ICMP Requests. Click Finish to continue. This new rule should allow your team
members to receive ping replies from your PC.

Part 2: Disabling or deleting the new ICMP rule.

After the lab is complete, you may want to disable or even delete the new rule you created in Step 1. Using the Disable
Rule option allows you to enable the rule again at a later date. Deleting the rule permanently deletes it from the list of
inbound rules.
a. On the Advanced Security window, click Inbound Rules in the left pane and then locate the rule you created
previously.
b. Right-click the ICMP rule and select Disable Rule if so desired. You may also select Delete if you want to
permanently delete it. If you choose this option, you must re-create the rule again to allow ICMP replies.

Objective: View Wired and Wireless NIC Information

Objectives
Part 1: Identify and Work with PC NICs
Part 2: Identify and Use the System Tray Network Icons

Background / Scenario
This lab requires you to determine the availability and status of the network interface cards (NICs) on the PC that you
use. Windows provides a number of ways to view and work with your NICs.
In this lab, you will access the NIC information of your PC and change the status of these cards.

Required Resources
 1 PC (Windows with two NICs, wired and wireless, and a wireless connection)
Note: At the start of this lab, the wired Ethernet NIC in the PC was cabled to one of the integrated switch ports on a
wireless router and the Local Area Connection (wired) was enabled. The wireless NIC was disabled initially. If the wired
and wireless NICs are both enabled the PC will receive two different IP addresses and the wireless NIC will take
precedence.

Instructions

Part 3: Identify and Work with PC NICs.

In Part 1, you will identify the NIC types in the PC that you are using. You will explore different ways to extract
information about these NICs and how to activate and deactivate them.
Note: This lab was performed using a PC running on the Windows 10 operating system. You should be able to perform
the lab with one of the other Windows operating systems listed; however, menu selections and screens may vary.

Step 1: Use the Network and Sharing Center.

a. Navigate to the Control Panel. Click View network status and tasks under Network and Internet heading in the
Category View.
b. In the left pane, click the Change adapter settings link.
c. In the Network Connections window, the results provide a list of NICs available on this PC. Look for your Wi-Fi
adapters.

-
[Title]

Note: Virtual Private Network (VPN) adapters and other types of network connections may also be displayed in this
window.

Step 2: Work with your wireless NIC.

a. Locate the wireless network connection. If it is disabled, right-click and select Enable to activate your wireless NIC.
b. If the wireless network connection is not currently connected, right-click and select Connect/Disconnect to connect
to an SSID that you are authorized to connect to.
c. Right-click a wireless network connection, and then click Status.
d. The wireless network connection Status window displays where you can view information about your wireless
connection.
Questions:

What is the Service Set Identifier (SSID) for the wireless router of your connection?
Type your answers here.
Answers will vary.
What is the speed of your wireless connection?
Type your answers here.
Answers will vary.
e. Click Details to display the Network Connection Details window.
Questions:

What is the MAC address of your wireless NIC?

Type your answers here.
Answers will vary.
Do you have multiple IPv4 DNS Servers listed? If so, why would multiple DNS Servers be listed?
Type your answers here.
Answers will vary on the number of DNS Servers. Multiple DNS Servers are listed in case the first DNS
server becomes unresponsive. Reasons may include the server is down for maintenance or is experiencing a
problem. If the first DNS server does not respond, then the second DNS Server is used, and so on.
f. Open a Windows Command Prompt and type ipconfig /all.
Open a Windows Command Prompt.

Notice that the information displayed here is the same information that was displayed in the Network Connection
Details window in Step e.
g. Close the command window and the Network Connection Details window. This should return you back to the Wi-Fi
Status window. Click Wireless Properties.
Close a Windows Command Prompt.

h. In the Wireless Network Properties window, click the Security tab.

i. The type of security the connected wireless router has implemented displays. Click the Show characters check box
to display the actual Network security key, instead of the hidden characters, and then click OK.
j. Close the Wireless Network Properties and the Wi-Fi Status windows. Select and right-click the Wi-Fi option >
Connect/Disconnect. A pop-up window should appear at the bottom right corner of your desktop that displays your
current connection, along with a list of SSIDs that are in range of the wireless NIC of your PC. If a scrollbar appears
on the right side of this window, you can use it to display additional SSIDs.
k. To join one of the other wireless network SSIDs listed, click the SSID that you want to join, and then click Connect.
l. If you have selected a secure SSID, you are prompted to enter the Security key for the SSID. Type the security key
for that SSID and click OK. You can click the Hide characters check box to prevent people from seeing what you
type in the Security key field.

-
[Title]

Step 3: Work with your wired NIC.

a. On the Network Connections window, select and right-click Ethernet option to display the drop-down list. If the
NIC is disabled, enable it, and then click the Status option.
Note: You must have an Ethernet cable attaching your PC NIC to a switch or similar device to see the status. Many
wireless routers have a small 4-port Ethernet switch built-in. You can connect to one of the ports using a straight-
through Ethernet patch cable.
b. In the Status window, the results display information about your wired connection to the LAN.
c. Click Details… to view the address information for your LAN connection.
d. Open a command window prompt and type ipconfig /all. Find your Ethernet adapter information and compare this
with the information displayed in the Network Connection Details window.
Open a Windows Command Prompt.

C:\Users\ITE> ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : DESKTOP-VITJF61

Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel(R) Ethernet Connection (4) I219-LM
Physical Address. . . . . . . . . : 08-00-27-80-91-DB
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::d829:6d18:e229:a705%5(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.10(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Wednesday, September 4, 2019 1:19:07 PM
Lease Expires . . . . . . . . . . : Thursday, September 5, 2019 1:19:08 PM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 50855975
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-24-21-BA-64-08-00-27-80-91-DB
DNS Servers . . . . . . . . . . . : 68.105.28.16
68.105.29.16
NetBIOS over Tcpip. . . . . . . . : Enabled
Close a Windows Command Prompt.

e. Close all windows on your desktop.

Part 4: Identify and Use the System Tray Network Icons

In Part 2, you will use the network icons in your system tray to determine and control the NICs on your PC.

-
[Title]

Step 1: Use the network icon.

a. Click the system tray. Click the network icon to view the pop-up window that displays the SSIDs that are in-range of
your wireless NIC.
b. Click Network & Internet.
c. In the Settings windows, click Change adapter options under the Change your network settings heading.
d. In the Network Connections window, right-click Wi-Fi and select Disable.
e. Examine your system tray. Click the Network icon again. With the Wi-Fi disabled, wireless networks are no longer
in range and not available for wireless connections.
f. You can also disable the Ethernet network by disabling the Ethernet adapters.

Step 2: Identify the Network Problem icon.

a. In the Network Connections window, disable all the Wi-Fi and Ethernet adapters.
b. The system tray now displays the Network Disabled icon, which indicates that network connectivity has been
disabled.
c. You can click this icon to return to the Network and Internet settings.
d. In the Network and Internet settings window, you can click Troubleshoot to use the PC to resolve the network issue
for you.
e. If troubleshooting did not enable one of your NICs, then you should do this manually to restore the network
connectivity of your PC.
Note: If a network adapter is enabled and the NIC is unable to establish network connectivity, then the Network
Problem icon appears in the system tray.
If this icon appears, you can troubleshoot this issue just like you did in Step 2c.

Reflection Question
Why would you activate more than one NIC on a PC?
Type your answers here.
Answers may vary. Multiple NICs can be used if more than one path is needed for the PC. One example of this
would be if the PC is being used as a Proxy Server.

Objective: Use Wireshark to Examine Ethernet Frames

Topology

-
[Title]

Objectives
Part 1: Examine the Header Fields in an Ethernet II Frame
Part 2: Use Wireshark to Capture and Analyze Ethernet Frames

Background / Scenario
When upper layer protocols communicate with each other, data flows down the Open Systems Interconnection (OSI)
layers and is encapsulated into a Layer 2 frame. The frame composition is dependent on the media access type. For
example, if the upper layer protocols are TCP and IP and the media access is Ethernet, then the Layer 2 frame
encapsulation will be Ethernet II. This is typical for a LAN environment.
When learning about Layer 2 concepts, it is helpful to analyze frame header information. In the first part of this lab, you
will review the fields contained in an Ethernet II frame. In Part 2, you will use Wireshark to capture and analyze Ethernet
II frame header fields for local and remote traffic.

Required Resources
 1 PC (Windows with internet access and with Wireshark installed)

Instructions

Part 5: Examine the Header Fields in an Ethernet II Frame

In Part 1, you will examine the header fields and content in an Ethernet II frame. A Wireshark capture will be used to
examine the contents in those fields.

Step 1: Review the Ethernet II header field descriptions and lengths.

Destination Source Frame

Preamble Address Address Type Data FCS

8 Bytes 6 Bytes 6 Bytes 2 Bytes 46 – 1500 Bytes 4 Bytes

Step 2: Examine the network configuration of the PC.

In this example, this PC host IP address is 192.168.1.147 and the default gateway has an IP address of 192.168.1.1.
C:\> ipconfig /all

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection
Physical Address. . . . . . . . . : F0-1F-AF-50-FD-C8
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::58c5:45f2:7e5e:29c2%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.147(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Friday, September 6, 2019 11:08:36 AM
Lease Expires . . . . . . . . . . : Saturday, September 7, 2019 11:08:36 AM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1

-
[Title]

<output omitted>

Step 3: Examine Ethernet frames in a Wireshark capture.

The screenshots of the Wireshark capture below shows the packets generated by a ping being issued from a PC host to its
default gateway. A filter has been applied to Wireshark to view the ARP and ICMP protocols only. ARP stands for
address resolution protocol. ARP is a communication protocol that is used for determining the MAC address that is
associated with the IP address. The session begins with an ARP query and reply for the MAC address of the gateway
router, followed by four ping requests and replies.
This screenshot highlights the frame details for an ARP request.

-
[Title]

This screenshot highlights the frame details for an ARP reply.

Step 4: Examine the Ethernet II header contents of an ARP request.

The following table takes the first frame in the Wireshark capture and displays the data in the Ethernet II header fields.

Field Value Description

Preamble Not shown in capture This field contains synchronizing bits, processed by the NIC
hardware.
Destination Address Broadcast (ff:ff:ff:ff:ff:ff)
Layer 2 addresses for the frame. Each address is 48 bits long, or
6 octets, expressed as 12 hexadecimal digits, 0-9,A-F.
A common format is 12:34:56:78:9A:BC.
The first six hex numbers indicate the manufacturer of the
Source Address Netgear_99:c5:72 network interface card (NIC), the last six hex numbers are the
(30:46:9a:99:c5:72) serial number of the NIC.
The destination address may be a broadcast, which contains all
ones, or a unicast. The source address is always unicast.
Frame Type 0x0806 For Ethernet II frames, this field contains a hexadecimal value
that is used to indicate the type of upper-layer protocol in the
data field. There are numerous upper-layer protocols supported
by Ethernet II. Two common frame types are these:
Value Description
0x0800 IPv4 Protocol
0x0806 Address Resolution Protocol (ARP)
Data ARP Contains the encapsulated upper-level protocol. The data field is
between 46 – 1,500 bytes.

-
[Title]

Field Value Description

FCS Not shown in capture Frame Check Sequence, used by the NIC to identify errors during
transmission. The value is computed by the sending device,
encompassing frame addresses, type, and data field. It is verified
by the receiver.

What is significant about the contents of the destination address field?

Type your answers here.
All hosts on the LAN will receive this broadcast frame. The host with the IP address of 192.168.1.1 (default
gateway) will send a unicast reply to the source (PC host). This reply contains the MAC address of the NIC of the
default gateway.
Why does the PC send out a broadcast ARP prior to sending the first ping request?
Type your answers here.
The PC cannot send a ping request to a host until it determines the destination MAC address, so that it can build
the frame header for that ping request. The ARP broadcast is used to request the MAC address of the host with
the IP address contained in the ARP.
What is the MAC address of the source in the first frame?
Type your answers here.
It varies; in this case, it is f0:1f:af:50:fd:c8.
What is the Vendor ID (OUI) of the Source NIC in the ARP reply?
Type your answers here.
It varies, in this case, it is Netgear.
What portion of the MAC address is the OUI?
Type your answers here.
The first 3 octets of the MAC address indicate the OUI.
What is the NIC serial number of the source?
Type your answers here.
It may vary, it is 99:c5:72 in this case.

Part 6: Use Wireshark to Capture and Analyze Ethernet Frames

In Part 2, you will use Wireshark to capture local and remote Ethernet frames. You will then examine the information
that is contained in the frame header fields.

Step 1: Determine the IP address of the default gateway on your PC.

Open a Windows command prompt.

Open a command prompt window and issue the ipconfig command.

What is the IP address of the PC default gateway?
Type your answers here.
Answers will vary.
Close a Windows command prompt.

Step 2: Start capturing traffic on your PC NIC.

a. Open Wireshark to start data capture.

-
[Title]

b. Observe the traffic that appears in the packet list window.

Step 3: Filter Wireshark to display only ICMP traffic.

You can use the filter in Wireshark to block visibility of unwanted traffic. The filter does not block the capture of
unwanted data; it only filters what you want to display on the screen. For now, only ICMP traffic is to be displayed.
In the Wireshark Filter box, type icmp. The box should turn green if you typed the filter correctly. If the box is green,
click Apply (the right arrow) to apply the filter.

Step 4: From the command prompt window, ping the default gateway of your PC.
Open a Windows command prompt.

From the command window, ping the default gateway using the IP address that you recorded in Step 1.
Close Windows command prompt.

Step 5: Stop capturing traffic on the NIC.

Click the Stop Capturing Packets icon to stop capturing traffic.

Step 6: Examine the first Echo (ping) request in Wireshark.

The Wireshark main window is divided into three sections: the packet list pane (top), the Packet Details pane (middle),
and the Packet Bytes pane (bottom). If you selected the correct interface for packet capturing previously, Wireshark
should display the ICMP information in the packet list pane of Wireshark.
a. In the packet list pane (top section), click the first frame listed. You should see Echo (ping) request under the Info
heading. The line should now be highlighted.
b. Examine the first line in the packet details pane (middle section). This line displays the length of the frame.
c. The second line in the packet details pane shows that it is an Ethernet II frame. The source and destination MAC
addresses are also displayed.
Questions:

What is the MAC address of the PC NIC?

Type your answers here.
Your answers will vary.
What is the default gateway’s MAC address?
Type your answers here.
Your answers will vary.
d. You can click the greater than (>) sign at the beginning of the second line to obtain more information about the
Ethernet II frame.
Question:

What type of frame is displayed?

Type your answers here.
0x0800 or an IPv4 frame type.
e. The last two lines displayed in the middle section provide information about the data field of the frame. Notice that
the data contains the source and destination IPv4 address information.
Questions:

What is the source IP address?

Type your answers here.
Your answers will vary.
What is the destination IP address?
Type your answers here.

-
[Title]

Your answers will vary.

f. You can click any line in the middle section to highlight that part of the frame (hex and ASCII) in the Packet Bytes
pane (bottom section). Click the Internet Control Message Protocol line in the middle section and examine what is
highlighted in the Packet Bytes pane.
Question:

What do the last two highlighted octets spell?

Type your answers here.
hi
g. Click the next frame in the top section and examine an Echo reply frame. Notice that the source and destination
MAC addresses have reversed, because this frame was sent from the default gateway router as a reply to the first
ping.
Question:

What device and MAC address is displayed as the destination address?

Type your answers here.
Your answers will vary.

Step 7: Capture packets for a remote host.

a. Click the Start Capture icon to start a new Wireshark capture. You will receive a popup window asking if you
would like to save the previous captured packets to a file before starting a new capture. Click Continue without
Saving.
Open a Windows command prompt.

b. In a command prompt window, ping www.cisco.com.

Close a Windows command prompt.

c. Stop capturing packets.

d. Examine the new data in the packet list pane of Wireshark.
Questions:

In the first echo (ping) request frame, what are the source and destination MAC addresses?
Source:
Type your answers here.
This should be the MAC address of the PC.
Destination:
Type your answers here.
This should be the MAC address of the Default Gateway.
What are the source and destination IP addresses contained in the data field of the frame?
Source:
Type your answers here.
This is still the IP address of the PC.
Destination:
Type your answers here.
This is the address of the server at www.cisco.com.
Compare these addresses to the addresses you received in Step 6. The only address that changed is the destination IP
address. Why has the destination IP address changed, while the destination MAC address remained the same?
Type your answers here.

-
[Title]

Layer 2 frames never leave the LAN. When a ping is issued to a remote host, the source will use the default
gateway MAC address for the frame destination. The default gateway receives the packet, strips the Layer 2
frame information from the packet and then creates a new frame header with the MAC address of the next
hop. This process continues from router to router until the packet reaches its destination IP address.

Reflection Question
Wireshark does not display the preamble field of a frame header. What does the preamble contain?
Type your answers here.
The preamble field contains seven octets of alternating 1010 sequences, and one octet that signals the beginning of
the frame, 10101011.