L Lab - Us sing Wireshark to t View Network k Traffic c

T Topology

O Objectives
Part 1: (O Optional) Dow wnload and Install I Wireshark Part 2: Ca apture and Analyze A Loca al ICMP Data in Wireshar rk Start and stop data a capture of ping p traffic to local hosts. Locat te the IP and MAC address s information in captured P PDUs.

Part 3: Ca apture and Analyze A Remote ICMP Da ata in Wiresh hark Start and stop data a capture of ping p traffic to remote r hosts . Locat te the IP and MAC address s information in captured P PDUs. Expla ain why MAC addresses for remote host ts are differen nt than the MA AC addresses s of local hos sts.

B Backgroun nd / Scenar rio

Wireshark k is a software e protocol ana alyzer, or "pa acket sniffer" a application, used for netwo ork troublesho ooting, analysis, software s and protocol deve elopment, and education. A ams travel back and forth o over the As data strea network, the t sniffer "ca aptures" each protocol data a unit (PDU) a and can deco ode and analy yze its conten nt according g to the appropriate RFC or other specif fications. Wireshark k is a useful to ool for anyone e working with networks a nd can be used with most labs in the CCNA ading and ins courses fo or data analys sis and troubl leshooting. Th his lab provid des instruction ns for downloa stalling Wireshark k, although it may already be installed. In I this lab, yo ou will use Wir reshark to capture ICMP d data packet IP addresses and Ethernet fr rame MAC ad ddresses.

2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic.

P Page 1 of 20

L Lab - Using Wireshark W to View Netwo ork Traffic

R Required Resources R
1 PC (Windows 7, Vista, or XP with w Internet access) a Additional PC(s) on n a local-area a network (LA AN) will be use ed to reply to ping request ts.

P Part 1:

(Optional ( l) Downlo oad and Install Wireshark

Wireshark k has become e the industry standard pac cket-sniffer pr rogram used by network engineers. Thi is open source so oftware is available for man ny different op perating syste ems, including g Windows, M Mac, and Linu ux. In Part 1 of this la ab, you will do ownload and install the Wireshark softw ware program on your PC. Note: If Wireshark W is already installe ed on your PC C, you can sk kip Part 1 and d go directly to o Part 2. If Wi ireshark is not installed on your PC, check with w your instru uctor about yo our academys software do ownload polic cy.

S Step 1: Do ownload Wir reshark.

a. Wires shark can be downloaded d from f www.wir reshark.org. b. Click Download Wireshark W .

c.

are version yo ou need based d on your PC Cs architectur re and operati ing system. F For Choose the softwa nce, if you hav ve a 64-bit PC C running Win ndows, choos se Windows Installer (64-bit). instan

2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic.

P Page 2 of 20

L Lab - Using Wireshark W to View Netwo ork Traffic After making a sele ection, the do ownload should start. The llocation of the e downloaded d file depends s on the ser and opera ating system that t you use. For Windows s users, the default location n is the Down nloads brows folder r.

S Step 2: Ins stall Wireshark.

a. The downloaded d file is named Wireshark-wi W in64-x.x.x.ex xe, where x re epresents the e version num mber. Double-click the file e to start the installation pr rocess. b. Respo ond to any se ecurity messa ages that may y display on yo our screen. If f you already have a copy of Wires shark on your PC, you will be prompted to uninstall th he old version n before insta alling the new version. It is re ecommended that you rem move the old version v of Wir reshark prior t to installing another versio on. Click Yes to o uninstall the e previous version of Wires shark.

c.

If this is the first tim me to install Wireshark, W or after a you hav ve completed the uninstall process, you will navigate to the Wir reshark Setup p wizard. Click Next.

2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic.

P Page 3 of 20

L Lab - Using Wireshark W to View Netwo ork Traffic d. Contin nue advancin ng through the e installation process. p Click k I Agree whe en the Licens se Agreement t window displa ays.

e. Keep the default se ettings on the e Choose Com mponents win ndow and clic ck Next.

2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic.

P Page 4 of 20

L Lab - Using Wireshark W to View Netwo ork Traffic f. Choose your desired shortcut options and cli ick Next.

g. You can c change th he installation location of Wireshark, W but t unless you have limited d disk space, it is recom mmended that t you keep the e default loca ation.

2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic.

P Page 5 of 20

L Lab - Using Wireshark W to View Netwo ork Traffic h. To ca apture live net twork data, WinPcap W must be installed o on your PC. If WinPcap is already insta alled on your PC, P the Install check box will w be unchec cked. If your in ap is older tha an the nstalled versiion of WinPca versio on that comes s with Wiresha ark, it is recom mmend that y you allow the newer versio on to be instal lled by clickin ng the Install WinPcap x.x x.x (version number) n chec ck box. i. Finish h the WinPcap p Setup Wiza ard if installing g WinPcap.

j.

Wires shark starts in nstalling its file es and a sepa arate window displays with h the status of f the installati ion. Click Next when the inst tallation is complete.

2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic.

P Page 6 of 20

L Lab - Using Wireshark W to View Netwo ork Traffic k. Click Finish to com mplete the Wireshark insta all process.

P Part 2: Capture C and a Analy yze Local ICMP Da ata in Wir reshark
In Part 2 of o this lab, you will ping another PC on the t LAN and capture ICMP P requests an nd replies in Wireshark k. You will als so look inside the frames captured for sp pecific inform mation. This an nalysis should d help to clarify how w packet head ders are used d to transport data to their destination.

S Step 1: Re etrieve your PCs interf face addresses.

d its network interface card For this la ab, you will ne eed to retrieve e your PCs IP P address and d (NIC) physi ical address, also a called the MAC addre ess.

2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic.

P Page 7 of 20

L Lab - Using Wireshark W to View Netwo ork Traffic a. Open a command window, type e ipconfig /all, and then pr ress Enter. y PC inter rfaces IP add dress and MA AC (physical) a address. b. Note your

c.

Ask a team membe er for their PC Cs IP address s and provide e your PCs IP P address to t them. Do not provide them with your MA AC address at t this time.

S Step 2: Sta art Wireshark and begi in capturing g data.

a. On yo our PC, click the t Windows Start button to see Wiresh hark listed as s one of the pr rograms on th he pop-up menu. Double-click k Wireshark. b. After Wireshark W sta arts, click Inte erface List.

Note: Clicking the first interface e icon in the ro ow of icons allso opens the e Interface Lis st.

2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic.

P Page 8 of 20

L Lab - Using Wireshark W to View Netwo ork Traffic c. On the Wireshark: Capture Interfaces window w, click the ch heck box nex xt to the interfa ace connecte ed to your LAN.

terfaces are listed and you u are unsure w which interfac ce to check, c click the Deta ails Note: If multiple int n, and then click the 802.3 (Ethernet) ta ab. Verify tha at the MAC ad ddress matche es what you n noted in button Step 1b. Close the e Interface De etails window after verifying g the correct iinterface.

y have che ecked the corr rect interface, click Start to o start the data capture. d. After you

2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic.

P Page 9 of 20

L Lab - Using Wireshark W to View Netwo ork Traffic Inform mation will sta art scrolling do own the top section in Wire eshark. The d data lines will appear in diff fferent colors s based on pr rotocol.

e. This information ca an scroll by ve ery quickly de epending on w what commun nication is tak king place bet tween your PC P and the LA AN. We can apply a a filter to t make it eas sier to view an nd work with the data that is being captured by Wiresh hark. For this lab, we are only o interested d in displayin ng ICMP (ping g) PDUs. Type e icmp in the Filter box at the e top of Wires shark and pre ess Enter or c click on the Ap pply button to o view only IC CMP (ping) ) PDUs.

2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic.

Pa age 10 of 20

L Lab - Using Wireshark W to View Netwo ork Traffic f. This filter f causes all a data in the top window to o disappear, but you are s still capturing the traffic on the interfa ace. Bring up the command prompt window that you opened earliier and ping th he IP address s that you receiv ved from your r team membe er. Notice tha at you start se eeing data appear in the to op window of Wires shark again.

Note: If your team members PC C does not re eply to your pi ngs, this may y be because their PC firew wall is blocki ing these requests. Please e see Append dix A: Allowing g ICMP Traffic Through a F Firewall for in nformation ndows 7. on ho ow to allow ICMP traffic thro ough the firew wall using Win g. Stop capturing c data by clicking the t Stop Cap pture icon.

2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic.

Pa age 11 of 20

L Lab - Using Wireshark W to View Netwo ork Traffic

S Step 3: Examine the captured c da ata.

In Step 3, examine the e data that wa as generated by b the ping re equests of you ur team mem mbers PC. Wireshark data is dis splayed in three sections: 1) 1 The top se ection displays s the list of PD DU frames ca aptured with a summary of the IP pac cket informatio on listed, 2) th he middle sec ction lists PDU U information n for the frame e selected in the top part of the sc creen and sep parates a cap ptured PDU fra ame by its pr rotocol layers, , and 3) the b bottom section displays the raw w data of eac ch layer. The raw data is d isplayed in bo oth hexadecim mal and decim mal form.

P request PDU U frames in th he top section n of Wireshar rk. Notice that t the Source c column a. Click the first ICMP a and the t Destinatio on contains th he IP address s of the teamm mates PC you pinged. has your PCs IP address,

2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic.

Pa age 12 of 20

L Lab - Using Wireshark W to View Netwo ork Traffic b. With this t PDU fram me still selecte ed in the top section, s navig gate to the miiddle section. Click the plus sign to the left of the Ethernet II row to view the Des stination and S Source MAC addresses.

Does the Source MAC M address match your PCs P interface e?

Does the Destination MAC addr ress in Wiresh hark match th he MAC addre ess that of yo our team mem mbers?

How is the MAC ad ddress of the pinged PC obtained by yo our PC?

Note: In the preced ding example e of a captured d ICMP reque est, ICMP dat ta is encapsu ulated inside a an IPv4 packe et PDU (IPv4 header) whic ch is then enc capsulated in a an Ethernet II frame PDU (Ethernet II h header) for tra ansmission on n the LAN.

P Part 3: Capture C and a Analy yze Remo ote ICMP Data in W Wireshark k
In Part 3, you will ping remote hosts s (hosts not on the LAN) an nd examine th he generated d data from those pings. You will then determine what t is different about a this data a from the data examined in Part 2.

S Step 1: Sta art capturing data on in nterface.

a. Click the Interface e List icon to bring up the list PC interfa aces again.

2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic.

Pa age 13 of 20

L Lab - Using Wireshark W to View Netwo ork Traffic b. Make sure the che eck box next to o the LAN int terface is chec cked, and the en click Start.

c.

A window prompts to save the previously p cap ptured data b before starting g another cap pture. It is not neces ssary to save this data. Clic ck Continue without Sav ving.

2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic.

Pa age 14 of 20

L Lab - Using Wireshark W to View Netwo ork Traffic d. With the t capture active, ping the e following three website U URLs: 1) www.yahoo.co w om 2) www.cisco.com w m 3) www.google.co w om

Note: When you ping the URLs listed, notice e that the Dom main Name Se erver (DNS) t translates the e URL to an IP address. Not te the IP addr ress received for each URL L. e. You can c stop captu uring data by clicking the Stop S Capture e icon.

S Step 2: Examining and analyzing g the data fr rom the rem mote hosts.
a. Revie ew the capture ed data in Wireshark, exam mine the IP an nd MAC addr resses of the three location ns that you pinged. List the destination IP and MAC addresses fo or all three loc cations in the space provid ded. 1st Location: 2 Lo ocation: 3 Lo ocation:
rd nd

IP: IP: IP:

MAC: MAC: MAC:

2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic.

Pa age 15 of 20

L Lab - Using Wireshark W to View Netwo ork Traffic b. What is significant about this inf formation?

c.

How does d this information differ r from the loca al ping inform mation you rec ceived in Part t 2?

R Reflection
Why does s Wireshark show the actual MAC addre ess of the loc cal hosts, but not the actua al MAC addres ss for the remote ho osts?

A Appendix A: A Allowing g ICMP Tra affic Throu ugh a Firew wall

If the mem mbers of your r team are una able to ping your y PC, the f firewall may b be blocking th hose requests s. This appendix describes ho ow to create a rule in the fir rewall to allow w ping reques sts. It also des scribes how to disable the new IC CMP rule afte er you have co ompleted the lab.

S Step 1: Cre eate a new inbound rule allowing ICMP traffi c through t the firewall.
a. From the Control Panel, P click the System an nd Security o option.

a Security window, w click Windows Fi irewall. b. From the System and

2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic.

Pa age 16 of 20

L Lab - Using Wireshark W to View Netwo ork Traffic c. In the e left pane of the t Windows Firewall wind dow, click Adv vanced settings.

d. On the Advanced Security S window, choose the Inbound R Rules option on the left sid debar and the en click New Rule R on the e right sideba ar.

2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic.

Pa age 17 of 20

L Lab - Using Wireshark W to View Netwo ork Traffic e. This launches the New Inbound d Rule wizard. On the Rule e Type screen n, click the Cu ustom radio b button c Next and click

f.

In the e left pane, click the Protoc col and Ports s option and u using the Pro otocol type dro op-down men nu, select ICMP Pv4, and then click Next.

2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic.

Pa age 18 of 20

L Lab - Using Wireshark W to View Netwo ork Traffic g. In the e left pane, click the Name option and in n the Name fie eld, type Allo ow ICMP Req quests. Click Finish.

This new n rule shou uld allow your r team membe ers to receive e ping replies from your PC C.

S Step 2: Dis sabling or deleting d the new ICMP rule.

After the lab is complet te, you may want w to disable or even dellete the new r rule you creat ted in Step 1. . Using the Disab ble Rule optio on allows you to enable the e rule again a at a later date. Deleting the e rule permanently deletes it from the list of o Inbound Ru ules. a. On the Advanced Security S window, in the left t pane, click I Inbound Rule es and then locate the rule e you create ed in Step 1.

2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic.

Pa age 19 of 20

L Lab - Using Wireshark W to View Netwo ork Traffic b. To dis sable the rule e, click the Dis sable Rule op ption. When y you choose th his option, you will see this s option chang ge to Enable Rule. You ca an toggle back k and forth be etween Disab ble Rule and E Enable Rule; the status s of the rule also a shows in the Enabled column of the e Inbound Rules list.

c.

To pe ermanently de elete the ICMP P rule, click Delete D . If you choose this o option, you must re-create the rule again to allow ICMP replies.

2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic.

Pa age 20 of 20