Wireshark/Ethernet

From Wikiversity
Jump to navigation Jump to search

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Ethernet traffic.

Readings[edit | edit source]

Preparation[edit | edit source]

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.
  3. Install Wireshark.

Activity 1 - Capture Ethernet Traffic[edit | edit source]

To capture Ethernet traffic:

  1. Start a Wireshark capture.
  2. Use ipconfig to display the default gateway address. Note the Default Gateway displayed.
  3. Use ping <default gateway address> to ping the default gateway address.
  4. Stop the Wireshark capture.

Activity 2 - Analyze Ethernet Traffic[edit | edit source]

To analyze Ethernet traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. All of the traffic you see is likely to be Ethernet traffic. If you want to specifically identify the traffic generated from the ping command above, look for traffic with ICMP listed as the protocol and Echo (ping) request or Echo (ping) reply in the description.
  2. Select a packet you want to analyze.
  3. Observe the packet details in the middle Wireshark packet details pane.
  4. Select Frame. Notice when you select the frame that the entire frame is highlighted in the bottom packet bytes pane.
  5. Expand Frame to view frame details.
  6. Expand Ethernet II to view Ethernet details. Notice the Destination, Source, and Type fields.
  7. Select the Destination field. Notice when you select the Destination field that the first six bytes of the frame are highlighted in the bottom packet bytes pane. This is the destination MAC address for the Ethernet frame.
  8. Select the Source field. Notice when you select the Source field that the second six bytes of the frame are highlighted in the bottom packet bytes pane. This is the source MAC address for the Ethernet frame.
  9. Select the Type field. Notice when you select the Type field that the 13th and 14th bytes of the frame are highlighted in the bottom packet bytes pane. This is the type of packet encapsulated inside the Ethernet frame.
  10. Select additional Ethernet frames in the top packet list pane and observe frame details in these packets.

Activity 3 - Confirm MAC Addresses in Ethernet Traffic[edit | edit source]

To confirm MAC addresses in Ethernet traffic:

  1. Use ipconfig /all or Getmac to display your computer's Physical Address.
  2. Compare your computer's physical address to the Source and Destination fields in the captured traffic. Identify which frames were sent by your computer and which frames were received by your computer.
  3. Use arp -a to view the ARP cache.
  4. Locate the default gateway IP address used in the ping command above and note the Physical Address of the default gateway.
  5. Compare your default gateway's physical address to the Source and Destination fields in the captured traffic. Identify which frames were sent by the default gateway and and which frames were sent to the default gateway.
  6. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

References[edit | edit source]

Retrieved from "https://en.wikiversity.org/w/index.php?title=Wireshark/Ethernet&oldid=1520171"