Lab - View Captured Traffic in Wireshark: Topology
Lab - View Captured Traffic in Wireshark: Topology
Lab - View Captured Traffic in Wireshark: Topology
Topology
Objectives
Part 1: Download and Install Wireshark
Part 2: Capture and Analyze ARP Data in Wireshark
Start and stop data capture of ping traffic to remote hosts.
Locate the IPv4 and MAC address information in captured PDUs.
Analyze the content of the ARP messages exchanged between devices on the LAN.
Part 3: View the ARP cache entries on the PC
Access the Windows Command Prompt.
Use the Windows arp command to view the local ARP table cache on the PC.
Background / Scenario
Address Resolution Protocol (ARP) is used by TCP/IP to map a Layer 3 IPv4 address to a Layer 2 M
AC address. When an Ethernet frame is transmitted on the network, it must have a destination MAC a
ddress. To dynamically discover the MAC address of a known destination, the source device broadc
asts an ARP request on the local network. The device that is configured with the destination IPv4
address responds to the request with an ARP reply and the MAC address is recorded in the ARP cac
he.
Every device on the LAN maintains its own ARP cache. The ARP cache is a small area in RAM that
holds the ARP responses. Viewing an ARP cache on a PC displays the IPv4 address and the MAC
address of each device on the LAN with which the PC has exchanged ARP messages.
Wireshark is a software protocol analyzer, or "packet sniffer" application, used for network
troubleshooting, analysis, software and protocol development, and education. As data streams travel
back and forth over the network, the sniffer "captures" each protocol data unit (PDU) and can decode
and analyze its content according to the appropriate protocol specifications.
Wireshark is a useful tool for anyone working with networks and can be used with most labs in the
Cisco courses for data analysis and troubleshooting. This lab provides instructions for downloading
and installing Wireshark, although it may already be installed. In this lab, you will use Wireshark to
capture ARP exchanges on the local network.
Required Resources
1 PC (Windows 10)
internet access
Additional PC(s) on a local-area network (LAN) will be used to reply to ping requests. If no
additional PCs are on the LAN, the default gateway address will be used to reply to the ping
requests.
Instructions
Step 1: Download Wireshark.
a. Wireshark can be downloaded from www.wireshark.org.
b. Click Download.
c. Choose the software version you need based on your PC’s architecture and operating system. Fo
r instance, if you have a 64-bit PC running Windows, choose Windows Installer (64-bit).
d. After making the selection, the download should start. Click Save File if prompted.
The location of the downloaded file depends on the browser and operating system that you use.
For Windows users, the default location is the Downloads folder.
Part 2: Capture and Analyze Local ARP Data in Wireshark
In Part 2 of this lab, you will ping another PC on the LAN and capture ARP requests and replies in Wir
eshark. You will also look inside the frames captured for specific information. This analysis should hel
p to clarify how packet headers are used to transport data to their destination.
c. Ask a team member for their PC’s IPv4 address and give your PC’s IPv4
address to them. Do not provide them with your MAC address at this time.
Question:
Record the IPv4 addresses of the default gateway and the other PCs on the LAN.
192.168.1.1
Answer Area
Answers will vary. In this example, the default gateway is 192.168.1.1 and the IPv4 address
for this PC is 192.168.1.8.Hide Answer
Question:
Answer Area
Show Answer
b. Click the arrow to the left of the Address Resolution Protocol (request) row to view the content of t
he ARP request.
What is the IPv4 address of the Target device in your ARP request?
192.168.1.1
Answer Area
Show Answer
b. Highlight the response frame in the upper section of the Wireshark output. You may have to scroll
the window to find the response frame that matches the Target IPv4
address identified in the previous step. Expand the Ethernet II and Address Resolution Protocol (
response) rows in the middle section of the screen.
Questions:
Is the ARP response frame a broadcast frame?
nu
Answer Area
Show Answer
What is the destination MAC address of the frame?
78:84:3c:eb:45:32
Answer Area
Show Answer
Is this the MAC address of your PC?
yes
Answer Area
Show Answer
What MAC address is the source of the frame?
d4:61:2e:2d:73:aa
Answer Area
Show Answer
c. Verify with your team member that the MAC address matches the MAC address of their PC.
The output of the arp –a command displays the entries that are in the cache on the PC. In the
example, the PC has entries for the default gateway (192.168.1.1) and for two PCs that are locat
ed on the same LAN (192.168.1.9 and 192.168.1.13).
Question:
What is the result of executing the arp –a command on your PC?
iti afiseaza tabela de conexiuni
Answer Area
Show Answer
b. The arp command on the Windows PC has another functionality. Enter arp /? at the command pr
ompt and press enter. The arp command options enable you to view, add and remove
ARP table entries if necessary.
Question:
Answer Area
Show Answer
Answer Area
Show Answer
Reflection
1. What is a benefit of keeping ARP cache entries in memory on the source computer?
Identificarea rapida a
adreselor MAC folosind IP
Answer Area
Show Answer
2. If the destination IPv4 address is not located on the same network as the source host, what MAC add
ress will be used as the destination target MAC address in the frame?
00:00:00:00:00:00
Answer Area
Show Answer
End of docume
© 2017 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public