Professional Documents
Culture Documents
Lab - Us
sing Wireshark to
t View Network
k Traffic
c
T
Topology
O
Objectives
Part 1: (O
Optional) Dow
wnload and Install
I Wireshark
Part 2: Ca
apture and Analyze
A al ICMP Data in Wiresharrk
Loca
Start and stop data
a capture of ping
p traffic to local hosts.
Locatte the IP and MAC address
s information in captured P
PDUs.
Part 3: Ca
apture and Analyze
A Remote ICMP Da
ata in Wiresh
hark
Start and stop data
a capture of ping
p traffic to remote
r hosts .
Locatte the IP and MAC address
s information in captured P
PDUs.
ain why MAC addresses for remote hostts are differen
Expla nt than the MA
AC addressess of local hossts.
B
Backgroun
nd / Scenarrio
Wiresharkk is a software
e protocol ana
alyzer, or "pa
acket sniffer" a
application, used for netwo
ork troubleshoooting,
analysis, software
s and protocol deve
elopment, and education. A As data streaams travel back and forth o
over the
network, the aptures" each protocol data
t sniffer "ca a unit (PDU) aand can deco ode and analyyze its conten
nt
accordingg to the appropriate RFC or other speciffications.
Wiresharkk is a useful to
ool for anyonee working with networks a nd can be used with most labs in the CCNA
courses fo
or data analys sis and troublleshooting. Th
his lab provid
des instruction
ns for downloaading and insstalling
Wiresharkk, although it may already be installed. In
I this lab, yo
ou will use Wirreshark to capture ICMP ddata
packet IP addresses and Ethernet frrame MAC ad ddresses.
R
Required Resources
R
1 PC (Windows 7, Vista, or XP with
w Internet access)
a
Additional PC(s) on
n a local-area
a network (LA
AN) will be use
ed to reply to ping requestts.
P
Part 1: (Optional
( l) Downlo
oad and Install Wireshark
Wireshark k has become e the industry standard paccket-sniffer prrogram used by network engineers. Thiis open
source so oftware is available for manny different op
perating systeems, including
g Windows, M
Mac, and Linuux. In Part
1 of this la
ab, you will do
ownload and install the Wireshark softw ware program on your PC.
Note: If Wireshark
W is already installe
ed on your PC
C, you can skkip Part 1 and
d go directly to
o Part 2. If Wiireshark
is not installed on your PC, check with
w your instru uctor about yoour academys software do ownload policcy.
S
Step 1: Do
ownload Wirreshark.
a. Wires
shark can be downloaded
d from
f www.wirreshark.org.
b. Click Download Wireshark.
W
S
Step 2: Ins
stall Wireshark.
a. The downloaded
d file is named Wireshark-wi
W in64-x.x.x.ex
xe, where x re
epresents the
e version num
mber.
Double-click the file
e to start the installation prrocess.
b. Respo ond to any se ecurity messa
ages that mayy display on yoour screen. Iff you already have a copy of
Wires shark on your PC, you will be prompted to uninstall thhe old version n before instaalling the new version.
ecommended that you rem
It is re move the old version
v of Wirreshark prior tto installing another versio
on. Click
Yes to o uninstall the
e previous version of Wires
shark.
d. Continnue advancin
ng through the
e installation process.
p Clickk I Agree whe
en the Licensse Agreementt window
displa
ays.
g. You can
c change th
he installation location of Wireshark,
W butt unless you have limited d
disk space, it is
recom
mmended thatt you keep the
e default loca
ation.
j. Wires
shark starts in
nstalling its file arate window displays with
es and a sepa h the status off the installatiion. Click
Next when the insttallation is complete.
P
Part 2: Capture
C and
a Analy
yze Local ICMP Da
ata in Wirreshark
In Part 2 of
o this lab, you will ping another PC on the
t LAN and capture ICMP P requests annd replies in
Wireshark so look inside the frames captured for sp
k. You will als pecific inform
mation. This an
nalysis shouldd help to
clarify how
w packet head ders are usedd to transport data to their destination.
S
Step 1: Re
etrieve your PCs interfface addresses.
For this la
ab, you will ne
eed to retrieve
e your PCs IP d its network interface card
P address and d (NIC) physiical
address, also
a called the MAC addre ess.
S
Step 2: Sta
art Wireshark and begiin capturing
g data.
a. On yo
our PC, click the
t Windows Start button to see Wiresh
hark listed ass one of the prrograms on th
he pop-up
menu. Double-clickk Wireshark.
b. After Wireshark
W sta
arts, click Inte
erface List.
d. After you
y have che
ecked the corrrect interface, click Start to
o start the data capture.
Inform
mation will sta
art scrolling do
own the top section in Wire
eshark. The d
data lines will appear in diff
fferent
colors
s based on prrotocol.
f. This filter
f causes all
a data in the top window too disappear, but you are sstill capturing the traffic on the
interfa
ace. Bring up the command prompt window that you opened earliier and ping th he IP addresss that you
receivved from yourr team membe er. Notice tha
at you start se
eeing data appear in the to op window of
Wiresshark again.
Note: If your team members PC C does not reeply to your pi ngs, this mayy be because their PC firew
wall is
blockiing these requests. Please
e see Append g ICMP Traffic Through a F
dix A: Allowing Firewall for in
nformation
on ho
ow to allow ICMP traffic thro
ough the firew
wall using Winndows 7.
g. Stop capturing
c data by clicking the
t Stop Cap
pture icon.
S
Step 3: Examine the captured
c da
ata.
In Step 3, examine the e data that wa
as generated by b the ping reequests of you ur team mem mbers PC. Wireshark
data is dis
splayed in three sections: 1)
1 The top se ection displayss the list of PD
DU frames ca aptured with a
summary of the IP pac cket informatio
on listed, 2) th
he middle secction lists PDU U information
n for the frame
e selected
in the top part of the sc
creen and sep parates a cap ptured PDU fra ame by its prrotocol layers,, and 3) the b
bottom
section displays the raw ch layer. The raw data is d isplayed in bo
w data of eac oth hexadecimmal and decimmal form.
b. With this
t PDU framme still selecte
ed in the top section,
s navig
gate to the miiddle section. Click the plus sign to
the left of the Ethernet II row to view the Desstination and S
Source MAC addresses.
P
Part 3: Capture
C and
a Analy
yze Remo
ote ICMP Data in W
Wireshark
k
In Part 3, you will ping remote hosts
s (hosts not on the LAN) an nd examine th d data from those
he generated
pings. You will then determine whatt is different about
a a from the data examined in Part 2.
this data
S
Step 1: Sta
art capturing data on in
nterface.
a. Click the Interface
e List icon to bring up the list PC interfa
aces again.
d. With the
t capture active, ping the
e following three website U
URLs:
1) www.yahoo.co
w om
2) www.cisco.com
w m
3) www.google.co
w om
Note: When you ping the URLs listed, notice e that the Dom
main Name Se
erver (DNS) ttranslates the
e URL to
an IP address. Notte the IP addrress received for each URL
L.
e. You can uring data by clicking the Stop
c stop captu S Capture
e icon.
S
Step 2: Examining and analyzing
g the data frrom the rem
mote hosts.
a. Revie
ew the capture ed data in Wireshark, exam
mine the IP an
nd MAC addrresses of the three location ns that
you pinged. List the destination IP and MAC addresses foor all three loccations in the space provid
ded.
1st Location: IP: MAC:
nd
2 Lo
ocation: IP: MAC:
rd
3 Lo
ocation: IP: MAC:
c. How does
d this information differr from the loca
al ping inform
mation you recceived in Partt 2?
R
Reflection
Why doess Wireshark show the actual MAC addre
ess of the loccal hosts, but not the actua
al MAC addresss for the
remote ho
osts?
A
Appendix A:
A Allowing
g ICMP Tra
affic Throu
ugh a Firew
wall
If the mem
mbers of yourr team are una
able to ping your
y PC, the ffirewall may bbe blocking th hose requestss. This
appendix describes ho w ping requessts. It also desscribes how to disable
ow to create a rule in the firrewall to allow
the new IC
CMP rule afte
er you have coompleted the lab.
S
Step 1: Cre
eate a new inbound rule allowing ICMP traffi c through tthe firewall.
a. From the Control Panel,
P click the System an
nd Security o
option.
c. In the
e left pane of the
t Windows Firewall wind
dow, click Adv
vanced settings.
f. In the
e left pane, click the Protoc
col and Ports
s option and u
using the Pro
otocol type dro
op-down men
nu, select
ICMP Pv4, and then click Next.
g. In the
e left pane, click the Name option and in
n the Name fie
eld, type Allo
ow ICMP Req
quests. Click Finish.
This new
n rule shou
uld allow yourr team membe
ers to receive
e ping replies from your PC
C.
S
Step 2: Dis
sabling or deleting
d the new ICMP rule.
After the lab is complette, you may want
w to disable or even dellete the new rrule you creatted in Step 1.. Using
the Disabble Rule optio on allows you to enable thee rule again a e rule permanently
at a later date. Deleting the
deletes it from the list of
o Inbound Ruules.
a. On the Advanced Security
S es and then locate the rule
window, in the leftt pane, click IInbound Rule e you
create
ed in Step 1.
b. To dis
sable the rulee, click the Dis
sable Rule op
ption. When yyou choose th
his option, you will see thiss option
changge to Enable Rule. You ca an toggle back
k and forth be
etween Disab
ble Rule and E Enable Rule; the
status
s of the rule also
a shows in the Enabled column of thee Inbound Rules list.
c. To pe
ermanently deelete the ICMP
P rule, click Delete.
D option, you must re-create the rule
If you choose this o
again to allow ICMP replies.