ab - U ing Wir eshark o View Networ k Traffi opology
bjectives Part 1: ( ptional) Do nload and Install Wires hark Part 2: C pture and
nalyze Local ICMP Data in Wireshar k
Start and stop dat capture of p ing traffic to l ocal hosts.
Locate the IP and MAC addres information in captured
Part 3: C pture and
DUs.
nalyze Rem ot e ICMP Da Data in Wiresh ark
Start and stop dat capture of p ing traffic to emote hosts .
Locate the IP and MAC addres information in captured
Explain why MAC addresses for remote hos s are differe t than the M C addresses of local hosts.
DUs.
ackgrou d / Scena io Wireshar is a softwar protocol analyzer, or "packet sniffer" pplication, used for netw rk troublesh oting, analysis, software and protocol development, and education. As data stre ms travel back and forth ver the network, he sniffer "c ptures" each protocol dat unit (PDU) and can dec de and anal ze its content according to the appropriate RFC or other specif ications. Wireshar is a useful t ol for anyone working with networks a nd can be used with most labs in the CCNA courses f r data analy is and troubleshooting. T is lab provides instructio s for downloading and in talling Wireshar , although it may already be installed. In this lab, yo u will use Wi reshark to capture ICMP ata packet IP addresses and Ethernet f rame MAC a dresses.
2013 Cisco an /or its affiliates. All rights reserv reserved. This docume nt is Cisco Publiic.
age 1 of 20
ab - Using
ireshark to View Netwo rk Traffic
equired
esources
1 PC (Windows 7, Vista, or XP
ith Internet access)
Additional PC(s) on a local-are network (LAN) will be us ed to reply to ping requests.
art 1:
Optional ) Down Down l ad and Install Wi reshark
Wireshar has becom the industry standard pa ket-sniffer p ogram used by network engineers. This open source software is available for ma y different o erating syst ms, including Windows, ac, and Lin x. In Part 1 of this l b, you will d wnload and install the Wireshark soft are program on your PC. Note: Note: If ireshark is already install d on your P , you can sk ip Part 1 and go directly t Part 2. If Wiireshark is not installed on your PC, check with your instr ctor about y our academy’s software d wnload poli y.
tep 1:
Download Wi eshark.
a.
Wire hark can be downloaded f rom www.wi eshark.org eshark.org..
b.
Click Download
c.
Choose the software version you need base on your PC ’s architectur e and operatiing system. For insta ce, if you ha e a 64-bit P running Wi dows, choo e Windows Install er (64 (64 bit). bit).
ireshark. ireshark.
2013 Cisco an /or its affiliates. All rights reserv reserved. This docume nt is Cisco Publiic.
age 2 of 20
ab - Using
ireshark to View Netwo rk Traffic
After making a sel ction, the download should start. The l ocation of th downloade file depend on the brow er and oper ting system that you use. For Window users, the d efault location is the Dow loads folder .
tep 2: a.
In tall Wiresh ark.
The downloaded file is named ireshark-wiin64-x.x.x.ex e, where x r presents the version number. Double-click the file to start the installation p ocess.
b. Respond to any s curity messages that may display on your screen. If you already have a copy of Wire hark on your PC, you will be prompted to uninstall t e old versio before installing the new version. It is r commended that you re ove the old version of Wir eshark prior o installing another version. Click Yes to uninstall th previous version of Wire hark.
c.
If this is the first ti e to install ireshark, or after you have completed the uninstall process, you will navigate to the Wi eshark Setu wizard. Click Next.
2013 Cisco an /or its affiliates. All rights reserv ed. This docume nt is Cisco Publiic.
age 3 of 20
ab - Using
ireshark to View Netwo rk Traffic
d. Continue advancing through th installation rocess. Clic I Agree when the Licen e Agreemen window displ ys.
e. Keep the default settings on the Choose Co ponents wi dow and click Next.
2013 Cisco an /or its affiliates. All rights reserv ed. This docume nt is Cisco Publiic.
age 4 of 20
ab - Using f.
ireshark to View Netwo rk Traffic
Choose your desir ed shortcut options and click Next.
g. You an change t e installation location of ireshark, bu unless you ave limited isk space, it is reco mended tha you keep th default location.
2013 Cisco an /or its affiliates. All rights reserv ed. This docume nt is Cisco Publiic.
age 5 of 20
ab - Using
ireshark to View Netwo rk Traffic
h.
To capture live network data, inPcap must be installed n your PC. I f WinPcap is already installed on your C, the Install check box ill be unche ked. If your i nstalled version of WinPc p is older th n the versi n that come with Wireshark, it is reco mend that ou allow the newer version to be installed by clicki g the Install WinPcap x . .x (version number) check box.
i.
Finis the WinPcap Setup Wizard if installin WinPcap.
j.
Wire hark starts installing its fil s and a sep rate window displays wit the status o f the installation. Click Next when the ins allation is complete.
2013 Cisco an /or its affiliates. All rights reserv ed. This docume nt is Cisco Publiic.
age 6 of 20
ab - Using k.
ireshark to View Netwo rk Traffic
Click Finish to co plete the Wireshark install process.
art 2:
apture and Anal ze Local ICMP D ta in Wi eshark
In Part 2 f this lab, you will ping another PC on he LAN and capture ICM requests a d replies in Wireshar . You will also look inside the frames captured for s pecific infor ation. This a alysis shoul help to clarify ho packet headers are use to transport data to their destination.
tep 1:
Retrieve your PC’s interf ace addres ses.
For this lab, you will n ed to retriev your PC’s I address, lso called the MAC address.
address and its network interface car d (NIC) physi cal
2013 Cisco an /or its affiliates. All rights reserv ed. This docume nt is Cisco Publiic.
age 7 of 20
ab - Using
ireshark to View Netwo rk Traffic
a. Open a command window, type ipconf ig /all, and then p ess Enter. b. Note our PC inter face’s IP address and MAC (physical) ddress.
c.
Ask a team member for their P ’s IP address and provid your PC’s I address to hem. Do not provide them with your MAC address at this time.
tep 2: a.
St rt Wireshark and begi n capturin data.
On y ur PC, click he Windows Start button to see Wires ark listed as one of the programs on t e pop-up menu. Double-clic Wireshark.
b. After
ireshark st rts, click Int rface List.
Note: Clicking the first interface icon in the r w of icons allso opens th Interface Li t.
2013 Cisco an /or its affiliates. All rights reserv ed. This docume nt is Cisco Publiic.
age 8 of 20
ab - Using c.
ireshark to View Netwo rk Traffic
On the Wireshark: Capture Interfaces windo , click the c eck box next to the interf ce connected to your LAN.
Note: If multiple interfaces are listed and yo are unsure hich interfa e to check, lick the Detail s butto , and then click the 802.3 (Ethernet) t b. Verify tha t the MAC a dress matches what you oted in Step 1b. Close the Interface Details window after verifyin the correct iinterface.
d. After ou have ch cked the cor ect interface, click Start t start the da ta capture.
2013 Cisco an /or its affiliates. All rights reserv ed. This docume nt is Cisco Publiic.
age 9 of 20
ab - Using
ireshark to View Netwo rk Traffic
Infor ation will start scrolling d wn the top s ection in Wir shark. The ata lines will appear in dif ferent color based on p otocol.
e.
This information c n scroll by v ry quickly d pending on hat commu ication is taking place between your C and the L N. We can pply a filter to make it ea ier to view a nd work with the data that is being captured by Wireshark. For this lab, we are nly interested in displaying ICMP (ping) PDUs. Typ e icmp in the Filter box at th top of Wire hark and press Enter or c lick on the A pply button t view only I MP (ping) PDUs.
2013 Cisco an /or its affiliates. All rights reserv ed. This docume nt is Cisco Publiic.
Page 10 of 20
ab - Using f.
ireshark to View Netwo rk Traffic
This f ilter causes ll data in the top window to disappear, but you are till capturing the traffic on the interf ce. Bring up the command prompt window that you opened earlier and ping the IP addres that you recei ed from you team member. Notice that you start s eing data appear in the top window of Wire hark again.
Note: If your team member’s P does not reply to your pi ngs, this ma be because their PC fire all is blockiing these requests. Pleas see Appendix A: Allowin ICMP Traffi c Through a Firewall for information on how to allow ICMP traffic thr ough the fire all using Windows 7. g. Stop capturing data by clicking he Stop Ca ture icon.
2013 Cisco an /or its affiliates. All rights reserv ed. This docume nt is Cisco Publiic.
Page 11 of 20
ab - Using
tep 3:
ireshark to View Netwo rk Traffic
Examine the aptured d ta.
In Step 3, examine the data that wa s generated y the ping r quests of yo ur team member’s PC. Wireshark data is di played in thr ee sections: 1) The top section display the list of P DU frames c ptured with summary of the IP packet informati n listed, 2) t e middle se tion lists PD information for the fram selected in the top part of the s reen and se arates a captured PDU fr ame by its pr otocol layers,, and 3) the bottom section displays the ra data of ea h layer. The raw data is d isplayed in b th hexadeci al and deci al form.
a.
Click the first ICM request PD frames in t e top sectio of Wireshar k. Notice tha the Source olumn has your PC’s IP address, and he Destinati n contains t e IP addres of the team ate’s PC you pinged.
2013 Cisco an /or its affiliates. All rights reserv ed. This docume nt is Cisco Publiic.
Page 12 of 20
ab - Using
ireshark to View Netwo rk Traffic
b. With his PDU fra e still select d in the top ection, navi ate to the mi ddle section. Click the plus sign to the left of the Ethernet II row to view the Destination and ource MAC addresses.
Does the Source AC address match your C’s interfac ?
Does the Destination MAC add ess in Wires ark match t e MAC addr ess that of yo ur team me ber’s?
How is the MAC a dress of the pinged PC obtained by y ur PC?
Note: In the preceding example of a capture d ICMP requ est, ICMP da ta is encapsulated inside n IPv4 pack t PDU (IPv4 header) which is then encapsulated in an Ethernet I I frame PDU (Ethernet II h eader) for tr nsmission o the LAN.
art 3:
apture and Anal ze Rem te ICMP Data in
ireshar
In Part 3, you will ping remote hosts (hosts not o n the LAN) a d examine the generated data from those pings. You will then determine what is different about this dat from the da ta examined in Part 2.
tep 1: a.
St rt capturin g data on i terface.
Click the Interface List icon to bring up the list PC interfa ces again.
2013 Cisco an /or its affiliates. All rights reserv ed. This docume nt is Cisco Publiic.
Page 13 of 20
ab - Using
ireshark to View Netwo rk Traffic
b. Make sure the check box next to the LAN interface is che cked, and th n click Start .
c.
A window prompts to save the reviously ca tured data b efore startin another capture. It is not nece sary to save this data. Click Continue with out Sav in g.
2013 Cisco an /or its affiliates. All rights reserv ed. This docume nt is Cisco Publiic.
Page 14 of 20
ab - Using
ireshark to View Netwo rk Traffic
d. With he capture active, ping th following three website 1)
ww.yahoo.com
2)
ww.cisco.co
3)
ww.google.c m
RLs:
Note: When you ping the URLs listed, notice that the Do ain Name Server (DNS) ranslates the URL to an IP address. No e the IP add ess received for each UR L. e. You an stop capt ring data by clicking the top Captur icon.
tep 2:
Examining an d analyzin the data f om the re ote hosts.
a. Review the captur d data in Wireshark, exa ine the IP a nd MAC add esses of the three locatio s that you pinged. List the destination IP and MAC addresses for all three lo ations in the space provided. st
IP:
MAC:
nd
IP:
MAC:
rd
IP:
MAC:
1 Location: 2 L cation: 3 Location:
2013 Cisco an /or its affiliates. All rights reserv ed. This docume nt is Cisco Publiic.
Page 15 of 20
ab - Using
ireshark to View Netwo rk Traffic
b. What is significant about this inf ormation?
c.
How oes this information differ from the loc l ping infor ation you re eived in Part 2?
eflection Why doe Wireshark show the actual MAC addr ss of the loc al hosts, but not the actual MAC address for the remote h sts?
ppendix
: Allowin g ICMP Tr ffic Thro gh a Fire all
If the me bers of your team are unable to ping our PC, the f irewall may e blocking those request . This appendix describes how to create a rule in the fir ewall to allo ping reque ts. It also de cribes how to disable the new I MP rule aft r you have completed the lab.
tep 1:
Cr ate a new inbound ru le allowing ICMP traffi c through t he firewall.
a. From the Control anel, click the System an d Security o ption.
b. From the System nd Security
indow, click Windows Fi rewall.
2013 Cisco an /or its affiliates. All rights reserv ed. This docume nt is Cisco Publiic.
Page 16 of 20
ab - Using
ireshark to View Netwo rk Traffic
c.
In the left pane of he Windows Firewall window, click Ad anced setti ng s.
d.
On the Advanced ecurity window, choose the Inbound New Rule… on th right sidebar.
ules option on the left si ebar and th n click
2013 Cisco an /or its affiliates. All rights reserv ed. This docume nt is Cisco Publiic.
Page 17 of 20
ab - Using
ireshark to View Netwo rk Traffic
e.
This launches the New Inbound Rule wizard. On the Rule Type scree , click the C stom radio utton and click Next
f.
In the left pane, click the Proto ol and Port option and using the Pro tocol type dr p-down me u, select ICMPv4, and then click Next.
2013 Cisco an /or its affiliates. All rights reserv ed. This docume nt is Cisco Publiic.
Page 18 of 20
ab - Using g.
ireshark to View Netwo rk Traffic
In the left pane, click the Name option and in the Name fi ld, type Al lo w ICMP Req uests. Click Finish.
This ew rule sho ld allow your team memb rs to receiv ping replies from your P .
tep 2:
Di abling or eleting the new ICMP rule.
After the lab is comple e, you may ant to disable or even dellete the new rule you crea ed in Step 1.. Using the Disable Rule opti n allows you to enable th rule again a t a later date. Deleting the rule permanently deletes it from the list f Inbound R les. a.
On the Advanced ecurity window, in the lef pane, click I nbound Rul es and then locate the rul you creat d in Step 1.
2013 Cisco an /or its affiliates. All rights reserv ed. This docume nt is Cisco Publiic.
Page 19 of 20
ab - Using
ireshark to View Netwo rk Traffic
b.
To di able the rule, click the Di able Rule o tion. When ou choose t is option, you will see thi option chan e to Enable Rule. You can toggle bac and forth b tween Disable Rule and nable Rule; the statu of the rule also shows in the Enabled column of th Inbound Ru les list.
c.
To permanently d lete the ICM rule, click again to allow ICMP replies.
elete. If you choose this ption, you must re-create the rule
2013 Cisco an /or its affiliates. All rights reserv ed. This docume nt is Cisco Publiic.
Page 20 of 20