L

Lab - Us
sing Wireshark to
t View Network
k Traffic
c
T
Topology

O
Objectives
Part 1: (O
Optional) Dow
wnload and Install
I Wireshark
Part 2: Ca
apture and Analyze
A al ICMP Data in Wiresharrk
Loca
Start and stop data
a capture of ping
p traffic to local hosts.
Locatte the IP and MAC address
s information in captured P
PDUs.
Part 3: Ca
apture and Analyze
A Remote ICMP Da
ata in Wiresh
hark
Start and stop data
a capture of ping
p traffic to remote
r hosts .
Locatte the IP and MAC address
s information in captured P
PDUs.
ain why MAC addresses for remote hostts are differen
Expla nt than the MA
AC addressess of local hossts.

B
Backgroun
nd / Scenarrio
Wiresharkk is a software
e protocol ana
alyzer, or "pa
acket sniffer" a
application, used for netwo
ork troubleshoooting,
analysis, software
s and protocol deve
elopment, and education. A As data streaams travel back and forth o
over the
network, the aptures" each protocol data
t sniffer "ca a unit (PDU) aand can deco ode and analyyze its conten
nt
accordingg to the appropriate RFC or other speciffications.
Wiresharkk is a useful to
ool for anyonee working with networks a nd can be used with most labs in the CCNA
courses fo
or data analys sis and troublleshooting. Th
his lab provid
des instruction
ns for downloaading and insstalling
Wiresharkk, although it may already be installed. In
I this lab, yo
ou will use Wirreshark to capture ICMP ddata
packet IP addresses and Ethernet frrame MAC ad ddresses.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic. P
Page 1 of 20
L
Lab - Using Wireshark
W to View Netwo
ork Traffic

R
Required Resources
R
1 PC (Windows 7, Vista, or XP with
w Internet access)
a
Additional PC(s) on
n a local-area
a network (LA
AN) will be use
ed to reply to ping requestts.

P
Part 1: (Optional
( l) Downlo
oad and Install Wireshark
Wireshark k has become e the industry standard paccket-sniffer prrogram used by network engineers. Thiis open
source so oftware is available for manny different op
perating systeems, including
g Windows, M
Mac, and Linuux. In Part
1 of this la
ab, you will do
ownload and install the Wireshark softw ware program on your PC.
Note: If Wireshark
W is already installe
ed on your PC
C, you can skkip Part 1 and
d go directly to
o Part 2. If Wiireshark
is not installed on your PC, check with
w your instru uctor about yoour academys software do ownload policcy.

S
Step 1: Do
ownload Wirreshark.
a. Wires
shark can be downloaded
d from
f www.wirreshark.org.
b. Click Download Wireshark.
W

c. Choose the softwa are version yoou need based

d on your PC
Cs architecturre and operatiing system. F
For
nce, if you hav
instan ve a 64-bit PC
C running Win
ndows, choosse Windows Installer (64--bit).

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic. P
Page 2 of 20
L
Lab - Using Wireshark
W to View Netwo
ork Traffic

After making a sele

ection, the do
ownload should start. The llocation of the
e downloaded
d file dependss on the
browsser and opera
ating system that
t you use. For Windowss users, the default location
n is the Down nloads
folderr.

S
Step 2: Ins
stall Wireshark.
a. The downloaded
d file is named Wireshark-wi
W in64-x.x.x.ex
xe, where x re
epresents the
e version num
mber.
Double-click the file
e to start the installation prrocess.
b. Respo ond to any se ecurity messa
ages that mayy display on yoour screen. Iff you already have a copy of
Wires shark on your PC, you will be prompted to uninstall thhe old version n before instaalling the new version.
ecommended that you rem
It is re move the old version
v of Wirreshark prior tto installing another versio
on. Click
Yes to o uninstall the
e previous version of Wires
shark.

c. If this is the first tim

me to install Wireshark,
W or after
a you havve completed the uninstall process, you will
navigate to the Wirreshark Setup p wizard. Click Next.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic. P
Page 3 of 20
L
Lab - Using Wireshark
W to View Netwo
ork Traffic

d. Continnue advancin
ng through the
e installation process.
p Clickk I Agree whe
en the Licensse Agreementt window
displa
ays.

e. Keep the default se

ettings on the
e Choose Com
mponents win
ndow and clicck Next.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic. P
Page 4 of 20
L
Lab - Using Wireshark
W to View Netwo
ork Traffic

f. Choose your desired shortcut options and cliick Next.

g. You can
c change th
he installation location of Wireshark,
W butt unless you have limited d
disk space, it is
recom
mmended thatt you keep the
e default loca
ation.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic. P
Page 5 of 20
L
Lab - Using Wireshark
W to View Netwo
ork Traffic

h. To caapture live nettwork data, WinPcap

W must be installed o on your PC. If WinPcap is already insta alled on
your PC,
P the Install check box will
w be unchec cked. If your in
nstalled versiion of WinPca
ap is older tha
an the
versioon that comess with Wireshaark, it is recom
mmend that yyou allow the newer versio on to be installled by
clickin
ng the Install WinPcap x.x x.x (version number)
n checck box.
i. Finish
h the WinPcap
p Setup Wiza
ard if installing
g WinPcap.

j. Wires
shark starts in
nstalling its file arate window displays with
es and a sepa h the status off the installatiion. Click
Next when the insttallation is complete.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic. P
Page 6 of 20
L
Lab - Using Wireshark
W to View Netwo
ork Traffic

k. Click Finish to com

mplete the Wireshark insta
all process.

P
Part 2: Capture
C and
a Analy
yze Local ICMP Da
ata in Wirreshark
In Part 2 of
o this lab, you will ping another PC on the
t LAN and capture ICMP P requests annd replies in
Wireshark so look inside the frames captured for sp
k. You will als pecific inform
mation. This an
nalysis shouldd help to
clarify how
w packet head ders are usedd to transport data to their destination.

S
Step 1: Re
etrieve your PCs interfface addresses.
For this la
ab, you will ne
eed to retrieve
e your PCs IP d its network interface card
P address and d (NIC) physiical
address, also
a called the MAC addre ess.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic. P
Page 7 of 20
L
Lab - Using Wireshark
W to View Netwo
ork Traffic

a. Open a command window, type

e ipconfig /all, and then prress Enter.
b. Note your
y PC interrfaces IP add
dress and MA
AC (physical) a
address.

c. Ask a team membe er for their PC

Cs IP address
s and provide
e your PCs IP
P address to tthem. Do not provide
them with your MA
AC address att this time.

S
Step 2: Sta
art Wireshark and begiin capturing
g data.
a. On yo
our PC, click the
t Windows Start button to see Wiresh
hark listed ass one of the prrograms on th
he pop-up
menu. Double-clickk Wireshark.
b. After Wireshark
W sta
arts, click Inte
erface List.

Note: Clicking the first interface

e icon in the ro
ow of icons allso opens the
e Interface Lisst.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic. P
Page 8 of 20
L
Lab - Using Wireshark
W to View Netwo
ork Traffic

c. On the Wireshark: Capture Interfaces window

w, click the ch
heck box nexxt to the interfa
ace connecte
ed to your
LAN.

Note: If multiple intterfaces are listed and you

u are unsure w which interfacce to check, cclick the Deta
ails
n, and then click the 802.3 (Ethernet) ta
button ab. Verify thaat the MAC ad ddress matche es what you n noted in
Step 1b. Close the e Interface Deetails window after verifyingg the correct iinterface.

d. After you
y have che
ecked the corrrect interface, click Start to
o start the data capture.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic. P
Page 9 of 20
L
Lab - Using Wireshark
W to View Netwo
ork Traffic

Inform
mation will sta
art scrolling do
own the top section in Wire
eshark. The d
data lines will appear in diff
fferent
colors
s based on prrotocol.

e. This information ca an scroll by ve

ery quickly de epending on w what commun nication is takking place bettween
your PC
P and the LA AN. We can apply
a a filter to
t make it eassier to view an nd work with the data that is being
captured by Wiresh hark. For this lab, we are only
o interestedd in displayin
ng ICMP (ping g) PDUs. Type e icmp in
the Filter box at the
e top of Wiresshark and pre ess Enter or cclick on the Appply button to o view only IC
CMP
(ping)) PDUs.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic. Pa
age 10 of 20
L
Lab - Using Wireshark
W to View Netwo
ork Traffic

f. This filter
f causes all
a data in the top window too disappear, but you are sstill capturing the traffic on the
interfa
ace. Bring up the command prompt window that you opened earliier and ping th he IP addresss that you
receivved from yourr team membe er. Notice tha
at you start se
eeing data appear in the to op window of
Wiresshark again.

Note: If your team members PC C does not reeply to your pi ngs, this mayy be because their PC firew
wall is
blockiing these requests. Please
e see Append g ICMP Traffic Through a F
dix A: Allowing Firewall for in
nformation
on ho
ow to allow ICMP traffic thro
ough the firew
wall using Winndows 7.
g. Stop capturing
c data by clicking the
t Stop Cap
pture icon.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic. Pa
age 11 of 20
L
Lab - Using Wireshark
W to View Netwo
ork Traffic

S
Step 3: Examine the captured
c da
ata.
In Step 3, examine the e data that wa
as generated by b the ping reequests of you ur team mem mbers PC. Wireshark
data is dis
splayed in three sections: 1)
1 The top se ection displayss the list of PD
DU frames ca aptured with a
summary of the IP pac cket informatio
on listed, 2) th
he middle secction lists PDU U information
n for the frame
e selected
in the top part of the sc
creen and sep parates a cap ptured PDU fra ame by its prrotocol layers,, and 3) the b
bottom
section displays the raw ch layer. The raw data is d isplayed in bo
w data of eac oth hexadecimmal and decimmal form.

a. Click the first ICMP

P request PDU
U frames in th
he top section
n of Wiresharrk. Notice thatt the Source ccolumn
has your PCs IP address,
a and the
t Destinatio on contains th
he IP addresss of the teammmates PC you pinged.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic. Pa
age 12 of 20
L
Lab - Using Wireshark
W to View Netwo
ork Traffic

b. With this
t PDU framme still selecte
ed in the top section,
s navig
gate to the miiddle section. Click the plus sign to
the left of the Ethernet II row to view the Desstination and S
Source MAC addresses.

Does the Source MAC

M address match your PCs
P interface
e?

Does the Destination MAC addrress in Wiresh

hark match th
he MAC addre
ess that of yo
our team mem
mbers?

How is the MAC ad

ddress of the pinged PC obtained by yo
our PC?

Note: In the preced

ding examplee of a captured
d ICMP reque est, ICMP datta is encapsu
ulated inside a
an IPv4
packe et PDU (IPv4 header) whic
ch is then enc
capsulated in a
an Ethernet II frame PDU (Ethernet II h
header)
for tra
ansmission on
n the LAN.

P
Part 3: Capture
C and
a Analy
yze Remo
ote ICMP Data in W
Wireshark
k
In Part 3, you will ping remote hosts
s (hosts not on the LAN) an nd examine th d data from those
he generated
pings. You will then determine whatt is different about
a a from the data examined in Part 2.
this data

S
Step 1: Sta
art capturing data on in
nterface.
a. Click the Interface
e List icon to bring up the list PC interfa
aces again.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic. Pa
age 13 of 20
L
Lab - Using Wireshark
W to View Netwo
ork Traffic

b. Make sure the che

eck box next to
o the LAN intterface is checcked, and the
en click Start.

c. A window prompts to save the previously

p cap
ptured data b
before starting
g another cap
pture. It is not
neces ck Continue without Sav
ssary to save this data. Clic ving.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic. Pa
age 14 of 20
L
Lab - Using Wireshark
W to View Netwo
ork Traffic

d. With the
t capture active, ping the
e following three website U
URLs:
1) www.yahoo.co
w om
2) www.cisco.com
w m
3) www.google.co
w om

Note: When you ping the URLs listed, notice e that the Dom
main Name Se
erver (DNS) ttranslates the
e URL to
an IP address. Notte the IP addrress received for each URL
L.
e. You can uring data by clicking the Stop
c stop captu S Capture
e icon.

S
Step 2: Examining and analyzing
g the data frrom the rem
mote hosts.
a. Revie
ew the capture ed data in Wireshark, exam
mine the IP an
nd MAC addrresses of the three location ns that
you pinged. List the destination IP and MAC addresses foor all three loccations in the space provid
ded.
1st Location: IP: MAC:
nd
2 Lo
ocation: IP: MAC:
rd
3 Lo
ocation: IP: MAC:

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic. Pa
age 15 of 20
L
Lab - Using Wireshark
W to View Netwo
ork Traffic

b. What is significant about this infformation?

c. How does
d this information differr from the loca
al ping inform
mation you recceived in Partt 2?

R
Reflection
Why doess Wireshark show the actual MAC addre
ess of the loccal hosts, but not the actua
al MAC addresss for the
remote ho
osts?

A
Appendix A:
A Allowing
g ICMP Tra
affic Throu
ugh a Firew
wall
If the mem
mbers of yourr team are una
able to ping your
y PC, the ffirewall may bbe blocking th hose requestss. This
appendix describes ho w ping requessts. It also desscribes how to disable
ow to create a rule in the firrewall to allow
the new IC
CMP rule afte
er you have coompleted the lab.

S
Step 1: Cre
eate a new inbound rule allowing ICMP traffi c through tthe firewall.
a. From the Control Panel,
P click the System an
nd Security o
option.

b. From the System and

a Security window,
w click Windows Fiirewall.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic. Pa
age 16 of 20
L
Lab - Using Wireshark
W to View Netwo
ork Traffic

c. In the
e left pane of the
t Windows Firewall wind
dow, click Adv
vanced settings.

d. On the Advanced Security

S Rules option on the left sid
window, choose the Inbound R debar and the
en click
New Rule
R on the
e right sideba
ar.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic. Pa
age 17 of 20
L
Lab - Using Wireshark
W to View Netwo
ork Traffic

e. This launches the New Inbound

d Rule wizard. On the Rule
e Type screen
n, click the Cu
ustom radio b
button
and click
c Next

f. In the
e left pane, click the Protoc
col and Ports
s option and u
using the Pro
otocol type dro
op-down men
nu, select
ICMP Pv4, and then click Next.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic. Pa
age 18 of 20
L
Lab - Using Wireshark
W to View Netwo
ork Traffic

g. In the
e left pane, click the Name option and in
n the Name fie
eld, type Allo
ow ICMP Req
quests. Click Finish.

This new
n rule shou
uld allow yourr team membe
ers to receive
e ping replies from your PC
C.

S
Step 2: Dis
sabling or deleting
d the new ICMP rule.
After the lab is complette, you may want
w to disable or even dellete the new rrule you creatted in Step 1.. Using
the Disabble Rule optio on allows you to enable thee rule again a e rule permanently
at a later date. Deleting the
deletes it from the list of
o Inbound Ruules.
a. On the Advanced Security
S es and then locate the rule
window, in the leftt pane, click IInbound Rule e you
create
ed in Step 1.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic. Pa
age 19 of 20
L
Lab - Using Wireshark
W to View Netwo
ork Traffic

b. To dis
sable the rulee, click the Dis
sable Rule op
ption. When yyou choose th
his option, you will see thiss option
changge to Enable Rule. You ca an toggle back
k and forth be
etween Disab
ble Rule and E Enable Rule; the
status
s of the rule also
a shows in the Enabled column of thee Inbound Rules list.

c. To pe
ermanently deelete the ICMP
P rule, click Delete.
D option, you must re-create the rule
If you choose this o
again to allow ICMP replies.

2013 Cisco and

d/or its affiliates. All rights reserve
ed. This docume
ent is Cisco Publiic. Pa
age 20 of 20