LAB REPORT 3.7.

10 Lab Use Wireshark to View Network Traffic

Course Code / Course Name: - CNET 217 / Switching & Routing Essentials

Program: - Computer Systems Technology

Section: - 002

Term: - Summer 2023

Instructions

Part 1: Capture and Analyze Local ICMP Data in Wireshark

In Part 1 of this lab, you will ping another PC on the LAN and capture ICMP requests and
replies in Wireshark. You will also look inside the frames captured for specific information.
This analysis should help to clarify how packet headers are used to transport data to their
destination.
Step 1: Retrieve your PC interface addresses.
For this lab, you will need to retrieve your PC IP address and its network interface card (NIC)
physical address, also called the MAC address.
a. In a command prompt window, enter ipconfig /all, to the IP address of your PC interface,
its description, and its MAC (physical) address.
b. Ask a team member or team members for their PC IP address and provide your PC IP
address to them. Do not provide them with your MAC address at this time.
Step 2: Start Wireshark and begin capturing data.
a. Navigate to Wireshark. Double-click the desired interface to start the packet capture.
Make sure the desired interface has traffic.
b. Information will start scrolling down the top section in Wireshark. The data lines will
appear in different colors based on protocol.

This information can scroll by very quickly depending on what communication is taking place
between your PC and the LAN. We can apply a filter to make it easier to view and work with
the data that is being captured by Wireshark.
For this lab, we are only interested in displaying ICMP (ping) PDUs. Type icmp in the Filter
box at the top of Wireshark and press Enter, or click the Apply button (arrow sign) to view
only ICMP (ping) PDUs.
c. This filter causes all data in the top window to disappear, but you are still capturing the
traffic on the interface. Navigate to a command prompt window and ping the IP address
that you received from your team member.

d. Stop capturing data by clicking the Stop Capture icon.

Step 3: Examine the captured data.

In Step 3, examine the data that was generated by the ping requests of your team member
PC. Wireshark data is displayed in three sections: 1) The top section displays the list of PDU
frames captured with a summary of the IP packet information listed; 2) the middle section
lists PDU information for the frame selected in the top part of the screen and separates a
captured PDU frame by its protocol layers; and 3) the bottom section displays the raw data
of each layer. The raw data is displayed in both hexadecimal and decimal form.

a. Click the first ICMP request PDU frames in the top section of Wireshark. Notice that the
Source column has your PC IP address, and the Destination column contains the IP address
of the teammate PC that you pinged.

b. With this PDU frame still selected in the top section, navigate to the middle section. Click
the plus sign to the left of the Ethernet II row to view the destination and source MAC
addresses.

Does the source MAC address match your PC interface?

Yes , the source MAC address Matches the PC interface.

Note: In the preceding example of a captured ICMP request, ICMP data is encapsulated
inside an IPv4 packet PDU (IPv4 header) which is then encapsulated in an Ethernet II frame
PDU (Ethernet II header) for transmission on the LAN.

Part 2: Capture and Analyze Remote ICMP Data in Wireshark

In Part 2, you will ping remote hosts (hosts not on the LAN) and examine the generated data
from those pings. You will then determine what is different about this data from the data
examined in Part 1.
Step 1: Start capturing data on the interface.
a. Start the data capture again.
b. A window prompts you to save the previously captured data before starting another
capture. It is not necessary to save this data. Click Continue without Saving.
c. With the capture active, ping the following three website URLs from a Windows command
prompt:

1) www.yahoo.com

2) www.cisco.com
3) www.google.com

Note: When you ping the URLs listed, notice that the Domain Name Server (DNS) translates
the URL to an IP address. Note the IP address received for each URL.
d. You can stop capturing data by clicking the Stop Capture icon.
Step 2: Examining and analyzing the data from the remote hosts.
Review the captured data in Wireshark and examine the IP and MAC addresses of the three
locations that you pinged. List the destination IP and MAC addresses for all three locations
in the space provided.
IP address for www.yahoo.com:
74.6.143.26
MAC address for www.yahoo.com:
E8-FB-1C-F3-C3-E1 (Default Gateway/Physical Address)
IP address for www.cisco.com:
96.16.43.188
MAC address for www.cisco.com:
E8-FB-1C-F3-C3-E1 (Default Gateway/Physical Address)

IP address for www.google.com:

What is significant about this information?

The MAC Address of the 3 websites are all the same

How does this information differ from the local ping information you received in Part 1?

When you ping the local host it will return the MAC address of the PC while you ping to a
remote host it will returns the MAC address of the physical address or default gateway

Reflection Question

Why does Wireshark show the actual MAC address of the local hosts, but not the actual
MAC address for the remote hosts?
The MAC address for remote hosts are not identified or unknown, so the default gateway
or physical address of the local host is being used.

Appendix A: Allowing ICMP Traffic Through a Firewall

If the members of your team are unable to ping your PC, the firewall may be blocking those
requests. This appendix describes how to create a rule in the firewall to allow ping requests.
It also describes how to disable the new ICMP rule after you have completed the lab.
Part 1: Create a new inbound rule allowing ICMP traffic through the firewall.

a. Navigate to the Control Panel and click the System and Security option in the Category
view.

b. In the System and Security window, click Windows Defender Firewall or Windows
Firewall.

c. In the left pane of the Windows Defender Firewall or Windows Firewall window, click
Advanced settings.
d. On the Advanced Security window, click the Inbound Rules option on the left sidebar and
then click New Rule… on the right sidebar.

e. This launches the New Inbound Rule On the Rule Type screen, click the Custom
radio button and click Next.
f. In the left pane, click the Protocol and Ports option and using the Protocol Type
drop-down menu, select ICMPv4, and then click Next.
g. Verify that Any IP address for both the local and remote IP addresses are selected.
Click Next to continue.
h. Select Allow the connection. Click Next to continue.

i. By default, this rule applies to all the profiles. Click Next to continue.

j. Name the rule with Allow ICMP Requests. Click Finish to continue. This new rule
should allow your team members to receive ping replies from your PC.
Part 2: Disabling or deleting the new ICMP rule.

After the lab is complete, you may want to disable or even delete the new rule you
created in Step 1. Using the Disable Rule option allows you to enable the rule again
at a later date. Deleting the rule permanently deletes it from the list of inbound rules.

a. On the Advanced Security window, click Inbound Rules in the left pane and then
locate the rule you created previously.

b. Right-click the ICMP rule and select Disable Rule if so desired. You may also
select Delete if you want to permanently delete it. If you choose this option, you must
re-create the rule again to allow ICMP replies.