You are on page 1of 10

Lab 11.5.

6: Final Case Study - Datagram Analysis with Wireshark (Instructor
Version)
Learning Objectives
Upon completion of this exercise, students will be able to demonstrate:



How a TCP segment is constructed, and explain the segment fields.
How an IP packet is constructed, and explain the packet fields.
How an Ethernet II frame is constructed, and explain the frame fields.
Contents of an ARP REQUEST and ARP REPLY.

Background
This lab requires two captured packet files and Wireshark, a network protocol analyzer. Download the
following files from Eagle server, and install Wireshark on your computer if it is not already installed:
 eagle1_web_client.pcap (discussed)
 eagle1_web_server.pcap (reference only)
 wireshark.exe

Scenario
This exercise details the sequence of datagrams that are created and sent across a network between a web
client, PC_Client, and web server, eagle1.example.com. Understanding the process involved in sequentially
placing packets on the network will enable the student to logically troubleshoot network failures when
connectivity breaks. For brevity and clarity, network packet noise has been omitted from the captures.
Before executing a network protocol analyzer on a network that belongs to someone else, be sure to get
permission- in writing.
Figure 1 shows the topology of this lab.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 1 of 10

254 DNS Servers . . and where the captured packets start. . . . . .CCNA Exploration Network Fundamentals: Planning and Cabling Networks Lab 11. All contents are Copyright © 1992–2007 Cisco Systems. . . PC Client with web browser. . : 00:02:3f:7e:37:da Dhcp Enabled.255. . as shown in Figure 3.1 Subnet Mask . All rights reserved.0 Default Gateway . . de-select Name Resolution for MAC layer and Transport Layer. : 10. C: > ipconfig / all Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : No IP Address. . and Packet Bytes. . Inc. . Step 1: Start Wireshark on your computer. . . . : 255. . . Refer to Figure 4 for changes to the default output. . .Datagram Analysis with Wireshark Figure 1. Page 2 of 10 . . . .1. : 10.com is entered. .1. . . . Task 1: Prepare the Lab. . . . To insure there is no automatic translation in MAC addresses. and URL eagle1. . . This document is Cisco Public Information. . . : Description . . . Uncheck Main toolbar.example. . Network Topology. : Intel(R) PRO/1000 MT Network Connection Physical Address. . .5. .250 C: > arp –a No ARP Entries Found C: > Figure 2.1.6: Final Case Study . Verify that Packet List and Packet Details are checked. . Using Microsoft ® command line tools. A web client is started. This begins the communication process to the web server. .1. . . . PC Client initial network state. . . Figure 3. Filter toolbar. .1. : 10. . . Refer to Figure 2. . . . . . .255.1. . . . . IP configuration information and the contents of ARP cache are displayed. . . . . . .

Various pull-down menus and sub-menus are available.6: Final Case Study . All rights reserved.CCNA Exploration Network Fundamentals: Planning and Cabling Networks Lab 11. each line that contains a check box.pcap loaded. Figure 5.pcap. Wireshark with file eagle1_web_client. The bottom window contains packet details. Wireshark default view changes. Inc.5. Page 3 of 10 . All contents are Copyright © 1992–2007 Cisco Systems.  indicates that additional information is available. The top Wireshark window lists all captured packets. In the bottom window. This document is Cisco Public Information. Step 2: Load the web client capture. eagle1_web_client. There are also two separate data windows.Datagram Analysis with Wireshark Figure 4. A screen similar to Figure 5 will be displayed.

All rights reserved. Likewise. Inc. For example.example. There is no acknowledgement number. The corresponding IP Address must be discovered through DNS (Domain Name Services).com. This is shown in Figure 7. Step 2: Review Network layer operation. the packet Version (IPv4) is known. in this conversation 1085.example. All contents are Copyright © 1992–2007 Cisco Systems. This document is Cisco Public Information. The destination for this packet is eagle1.Datagram Analysis with Wireshark Task 2: Review the Process of Data Flowing through the Network. Because this communication is from a web client.5. provided by the Application Layer. the TCP threeway handshake must be performed. Consider the TCP segment. fields related to the upper layer protocols are empty. IP Packet 4 0 Version 8 10 IHL 16 Total Length Identification TTL 31 TOS Flags Protocol Fragment Offset Header Checksum Source IP Address Destination IP Address Data Figure 7. shown in Figure 6. so it must be discovered using other network protocols. and knows the well-known web server port address. the datagram travels down the various network Layers. Until the upper layer datagram is received. a sequence number has been internally generated. At each Layer. Before this segment can move to the Network Layer. Page 4 of 10 . Step 1: Review Transport layer operation. as well as the source IP address. IP Packet fields. Some information will not be known to PC_Client. the Transport Layer protocol will be TCP. TCP Segment 4 0 7 10 16 31 Source Port Destination Port Sequence Number Acknowledgement Number Data Offset Reserved ECN Control Bits Window Checksum Urgent Pointer Options and Padding Data Figure 6. important header information is added. When PC_Client builds the datagram for a connection with eagle1. Data is included. TCP Segment fields. At the Network Layer.com. PC_Client generates an internal TCP port address.6: Final Case Study . the IPv4 (IP) PACKET has several fields ready with information. 80.CCNA Exploration Network Fundamentals: Planning and Cabling Networks Lab 11.

What is the source MAC address for the ARP Request? _____________________ Answer: ___00:02:31:7e:73:da___ 2. it must be encapsulated inside a frame. A TCP 3-way handshake with eagle1. This document is Cisco Public Information. The destination MAC address must be discovered. Step 1: Review the data flow sequence. What is the unknown IP address in the ARP Request? ______________________ Answer: _10. Page 5 of 10 .1. Ethernet II frame fields. Contents of the ARP Request can be viewed by clicking on the ARP Request line in the Packet Details window.example. 1. The DNS server cannot be queried because the MAC address for the DNS server is not known. PC_Client has knowledge of the source MAC address. The MAC address for eagle1. c. The ARP protocol is broadcast on the LAN to learn the destination MAC address for eagle1. b.5. 1. This is resolved with a DNS request from PC_Client to the DNS the server.1. Ethernet II Frame Format Preamble Destination Address 8 Octets 6 Octets Source Address 6 Octets Frame Type 2 Octets Data CRC 46-1500 Octets 4 Octets Figure 8. The TCP segment cannot be constructed because the acknowledgement field is blank. but must discover the destination MAC address.example. What is the destination MAC address for the ARP Request? _____________________ Answer: ___ff:ff:ff:ff:ff:ff___ 3. Refer to Wireshark.CCNA Exploration Network Fundamentals: Planning and Cabling Networks Lab 11. Before the datagram is placed on the physical medium. Packet List window. Inc. No.com.com.250___ 4.com must first be completed.com is unknown.Datagram Analysis with Wireshark Step 3: Review Data Link layer operation. The captured frame is an ARP (Address Resolution Protocol) Request. What is the Ethernet II Frame Type? _____________________ Answer: __0x0806 (ARP) _ All contents are Copyright © 1992–2007 Cisco Systems.6: Final Case Study . Step 2: Examine the ARP request. All rights reserved. Task 3: Analyze Captured Packets. Contents of the Ethernet II frame can be viewed by clicking on the check box in the second line of the Packet Details window. The TCP 3-way handshake cannot occur because PC_Client does not know the IP address for eagle1. The ARP protocol is broadcast on the LAN to discover the MAC address for the DNS server. A review of missing information will be helpful in following the captured packet sequence: a. This is shown in Figure 8.example. d.example.

answer the following questions: 1. what can be inferred about an ARP Request destination address and an ARP Reply destination address? _____________________________________________________________________ _____________________________________________________________________ _____________________________________________________________________ Answer: The destination address for an ARP Request is a broadcast address. Based on the observation of the ARP protocol. No. the source MAC address of the request is stored in the receiver’s ARP cache. Refer to Wireshark. Page 6 of 10 . The DNS server sent an ARP Reply. No. Refer to Wireshark. Refer to Wireshark. What is the destination MAC address for the ARP Request? _____________________ Answer: __00:02:31:7e:73:da _ 3. Step 4: Examine the DNS query.5.1. 2. Packet List window. What is the source MAC address for the ARP Reply? _____________________ Answer: ___00:0c:29:63:17:a5___ 2. Why did the DNS server not have to send an ARP Request for the PC_Client MAC address? _____________________________________________________________ _____________________________________________________________________ Answer: When an ARP Request is received.Datagram Analysis with Wireshark Step 3: Examine the ARP reply. What is the Ethernet II Frame Type? _____________________ Answer: __0x0800 (IP) _ 2. Using the Packet Details window. What is the Ethernet II Frame Type? _____________________ Answer: __0x0806 (ARP) _ 4.1 _ 5. Using the Packet Details window. What is the destination IP address in the ARP Reply? _____________________ Answer: __10. The DNS server sent a DNS query response to PC_Client. No. What is the Transport Layer protocol. while the destination address for and ARP Reply is a unicast address. This document is Cisco Public Information. answer the following questions: 1. Inc. Port 53___ Step 5: Examine the DNS query response. PC_Client sent a DNS query to the DNS server. 1. All rights reserved. Packet List window.1.6: Final Case Study . 4. Packet List window. 6. 3.CCNA Exploration Network Fundamentals: Planning and Cabling Networks Lab 11. and what is the destination port number? _____________________ Answer: ___UDP. What is the Ethernet II Frame Type? _____________________ Answer: __0x0800 (IP) _ All contents are Copyright © 1992–2007 Cisco Systems.

MSS=1460. What is the IP address for eagle1.(not set) . Initially. Refer to Wireshark. In eagle1.com. why did eagle1.2. 8. and asked if you thought of any reason why all UDP packets should not be blocked from entering the internal network.example. In the Packet List window. What is your response? _____________________ _____________________________________________________________________ _____________________________________________________________________ _____________________________________________________________________ Answer: DNS uses UDP for providing name translation.example. only the TCP SYN flag is set on the datagram sent from PC_Client. If all UDP packets were dropped at the firewall. All rights reserved. No. What does the IP Flag value of 0x04 mean? ____________________________________________________________________ Answer: IP Flag values: 8 4 2 1 0 . 7. PC_Client must have the ARP address to the Gateway.0/24.1. These captures contain the TCP 3-way handshake between PC_Client and eagle1.example.1. PC_Client sent an ARP Request to IP address 10.251___ 4. More Fragments (not set) All contents are Copyright © 1992–2007 Cisco Systems. Refer to Wireshark. This document is Cisco Public Information. eagle1.Datagram Analysis with Wireshark 2. A colleague is a firewall administrator.example respond with an acknowledgement of 1? ____________________________________________________________________ ____________________________________________________________________ Answer: _TCP employs expectational acknowledgements.example. A better approach would be to employ a stateful packet filter and create rules that permit established and related traffic through the firewall. Is this IP address different than the IP address for eagle1. Since 10. Inc. 1. 1. . Step 7: Examine the TCP 3-way handshake.6: Final Case Study . .2.254. Packet List window. 0 . MSS stands for Maximum Segment size. 9. . No.2.com. MSS is computed to be the maximum size of an IPv4 datagram minus 40 bytes. No. Reserved. No.251 is on a different network than 10.example.CCNA Exploration Network Fundamentals: Planning and Cabling Networks Lab 11. This value is sent during connection startup. This means that the TCP acknowledgement number sent is for the expected sequence number of the next packet. Don’t Fragment (set) . Step 6: Examine the ARP request. Page 7 of 10 . 2. and No.com responds with the TCP ACK and SYN flags set.com? Explain? ____________________________________________________________________ ____________________________________________________________________ Answer: _Yes. Port 1043___ 3. there is an unexplained value. . When a TCP segment is transported over IPv4. employees could not translate names to IP addresses.com? _____________________ Answer: ___10. along with an acknowledgement of 1 and sequence of 0. and what is the destination port number? _____________________ Answer: ___UDP. sequence number 0. Packet List window.2.1. The ARP Reply was from the Gateway. This is also when TCP sliding windows are negotiated. 5 and No 6. 8. 1 .1.5. If the initial TCP sequence value from PC_Client is 0. What is the Transport Layer protocol.

When PC_Client completes the TCP 3-way handshake. . . It has taken a total of nine datagrams sent between PC_Client. 6. ________ b.example.Datagram Analysis with Wireshark 3. The TCP segment cannot be constructed because the acknowledgement field is blank. ___No. 0 . 9. 0 . Gateway. . This is resolved with a DNS request from PC_Client to the DNS the server. DNS server. ________ c.com? ____________________________________________________________________ Answer: TCP Flag states: 1.com. 0 . __No. A TCP 3-way handshake with eagle1. 0 . The DNS server cannot be queried because the MAC address for the DNS server is not known. Step 1: Match the Wireshark output to the process. the DNS query response . .com. .com must first be completed. Fill in the correct Wireshark Packet List number that satisfies each of the following missing entries: a. .com. what are the TCP flag states returned to eagle1. . . 4. . 10. .example. All rights reserved. The MAC address for the gateway to reach eagle1. . . Inc. All contents are Copyright © 1992–2007 Cisco Systems. This is resolved with a DNS request from PC_Client to the DNS the server. . . The TCP segment cannot be constructed because the acknowledgement field is blank.example. .example. The ARP protocol is broadcast on the LAN to discover the MAC address for the DNS server. .com is unknown. . The DNS server cannot be queried because the MAC address for the DNS server is not known.CCNA Exploration Network Fundamentals: Planning and Cabling Networks Lab 11.example. . c. . Wireshark Packet List No 9. . 0 Flag Congestion Window Reduced ECN-Echo Urgent ACK PSH SYN FIN Task 4: Complete the Final Analysis. b. . 5.com must first be completed. . . Bit Position 0 . 7. . 1. . . . 2. . . . ________ d.6: Final Case Study . The ARP protocol is broadcast on the LAN to learn the destination MAC address for the gateway. the ARP response from the DNS server. This is shown in Wireshark Packet List No. 1 .example.5.example. No 2. 3. . The TCP 3-way handshake cannot occur because PC_Client does not know the IP address for eagle1. .example. This document is Cisco Public Information. Page 8 of 10 . 4. A TCP 3way handshake with eagle1. the TCP ACK response to eagle1. . and eagle1.example. The TCP 3-way handshake cannot occur because PC_Client does not know the IP address for eagle1. . . . The ARP protocol is broadcast on the LAN to discover the MAC address for the DNS server.com. where PC_Client sent a web protocol GET request.com before PC_Client has sufficient information to send the original web client request to eagle1. ________ Answer: a.

2. Output of the TCP stream. To verify the ACK.5. Wireshark Packet List No. Wireshark Packet List No. When PC_Client is finished. and the TCP session is closed. All contents are Copyright © 1992–2007 Cisco Systems. Next. 18. and expand the [SEQ/ACK analysis] frame. 13 5. Wireshark includes an option that constructs the TCP Stream in a separate window. 14 is a response to which datagram from eagle1. eagle1.example. What is the purpose of this datagram? Answer: This datagram is a TCP window update to expand the window size. 17 datagram is sent from PC_Client to eagle1. select Wireshark menu options Analyze | Follow TCP Stream. the ARP response from the Gateway. 4. first select a TCP datagram from the Wireshark Packet List. The ACK datagram for Wireshark Packet List No. TCP ACK and FIN flags are sent. Inc. Page 9 of 10 . 11 is an acknowledgement from eagle1. Wireshark Packet List No. Review the information inside the [SEQ/ACK analysis] frame.6: Final Case Study .com responds with a TCP ACK. shown in Wireshark Packet List No. _No. Next.example.Datagram Analysis with Wireshark d. 6.com? _______________ Answer: No.example. The MAC address for the gateway to reach eagle1. Step 2: Use Wireshark TCP Stream. scroll down to the bottom of the detail list window.com to the PC_Client GET request.com. This document is Cisco Public Information. A window similar to Figure 9 will be displayed. All rights reserved. Analyzing packet contents can be a daunting experience.com is unknown. The ARP protocol is broadcast on the LAN to learn the destination MAC address for the gateway. 14. 14 and 16 are ACK datagrams from PC_Client.example. Wireshark Packet List No.example. Wireshark Packet List No.com. 12. Figure 9. 10. To use this feature. highlight Wireshark Packet List No.example. 6.CCNA Exploration Network Fundamentals: Planning and Cabling Networks Lab 11. 13 and 15 are TCP segments from eagle1. 3. time consuming and error prone.

Task 6: Summary In this exercise the student has learned how communication between a web client and web server communicate. For example.CCNA Exploration Network Fundamentals: Planning and Cabling Networks Lab 11. and unacknowledged packets. unsuccessful DNS queries. the TCP session is destroyed in an orderly manner with the client issuing a TCP FIN flag.5. Behind-the-scene protocols such as DNS and ARP are used to fill in missing parts of IP packets and Ethernet frames. Inc. This document is Cisco Public Information. All rights reserved.6: Final Case Study .Datagram Analysis with Wireshark Task 5: Conclusion Using a network protocol analyzer can serve as an effective learning tool for understanding critical elements of network communication. Before TCP session can begin. if a web browser could not connect to a web server there could be multiple causes. Page 10 of 10 . Once the network administrator is familiar with communication protocols. respectively. All contents are Copyright © 1992–2007 Cisco Systems. the same protocol analyzer can become an effective troubleshooting tool when there is network failure. the TCP 3-way handshake must build a reliable path and supply both communicating ends with initial TCP header information. A protocol analyzer will show unsuccessful ARP requests. Finally.