Wireshark/IPv4 multicast

From Wikiversity
Jump to navigation Jump to search

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze IPv4 multicast traffic.

Readings[edit]

Preparation[edit]

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.
  3. Install Wireshark.

Activity 1 - Capture IPv4 Multicast Traffic[edit]

To capture IPv4 multicast traffic:

  1. Start a Wireshark capture.
  2. In Windows, select Start and then type Network and Sharing Center in the Run box. Press Enter.
  3. Select Change advanced sharing settings.
  4. Note the current status of Network discovery. If it is already on, select Turn off network discovery and Save changes.
  5. Select Turn on network discovery and Save changes.
  6. Wait a few seconds for network discovery to generate multicast traffic.
  7. If Network discovery was initially off, select Turn off network discovery and Save changes to return the status to the original setting. If network discovery was initially on, leave it on.
  8. Stop the Wireshark capture.

Activity 2 - Analyze IPv4 Multicast Traffic[edit]

To analyze IPv4 multicast traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. To view only IPv4 multicast traffic, type ip.addr >= 224.0.0.0 (lower case) in the Filter box and press Enter.
  2. The traffic you are most likely to see is Simple Service Discovery Protocol (SSDP) traffic. You may also see Web Services Dynamic Discovery (WS-Discovery) traffic or other multicast traffic. Whatever you find, select the first frame.
  3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 frame.
  4. Expand Ethernet II to view the Ethernet details.
  5. Observe the Destination address. Notice that it starts with 01:00:5e, the Ethernet multicast address for IPv4.
  6. Expand Internet Protocol Version 4 to view IPv4 details.
  7. Observe the Destination address. Notice that it is in the 224.0.0.0 - 239.255.255.255 IPv4 multicast range. If it is SSDP or WS-Discovery traffic, it will be addressed to 239.255.255.250.
  8. Select additional frames and observe the Ethernet and IPv4 details for multicast traffic.
  9. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

References[edit]