220.127.116.11 Lab – Using Wireshark to Examine Ethernet Frames Answers
Lab – Using Wireshark to Examine Ethernet Frames (Answers Version – Optional Lab)
Answers Note: Red font shade or gray highlights indicate message that appears in the instructor copy just. Optional activities are designed to enhance knowledge or to carry out additional exercise or both.
You are watching: Why does the pc send out a broadcast arp prior to sending the first ping request?
Part 1: Examine the Header Fields in an Ethernet II Frame
Part 2: Use Wireshark to Catch and also Analyze Ethernet Frames
Background / Scenario
When top layer protocols communicate via each various other, information flows dvery own the Open Systems Interlink (OSI) layers and also is encapsulated into a Layer 2 frame. The structure composition is dependent on the media access kind. For instance, if the upper layer protocols are TCP and also IP and the media access is Ethernet, then the Layer 2 frame encapsulation will certainly be Ethernet II. This is typical for a LAN setting.
When learning about Layer 2 principles, it is helpful to analyze framework header indevelopment. In the initially component of this lab, you will testimonial the areas included in an Ethernet II framework. In Part 2, you will certainly use Wireshark to capture and analyze Ethernet II framework header areas for regional and remote website traffic.
Answers Note: This lab assumes that the student is using a COMPUTER through internet accessibility. It likewise assumes that Wireshark has been pre-installed on the COMPUTER. The screenshots in this lab were taken from Wireshark v2.4.3 for Windows 10 (64bit).
Required Resources1 PC (Windows 7, 8, or 10 with internet accessibility through Wireshark installed)
Part 1: Examine the Header Fields in an Ethernet II Frame
In Part 1, you will research the header areas and content in an Ethernet II framework. A Wireshark capture will certainly be used to study the contents in those areas.Tip 1: Review the Ethernet II header field descriptions and also lengths.
|8 Bytes||6 Bytes||6 Bytes||2 Bytes||46 – 1500 Bytes||4 Bytes|
This PC hold IP address is 192.168.1.147 and also the default gatemethod has an IP attend to of 192.168.1.1.
The Wireshark capture listed below reflects the packets created by a ping being issued from a COMPUTER organize to its default gatemethod. A filter has actually been applied to Wireshark to watch the ARP and ICMP protocols just. The session starts through an ARP query for the MAC deal with of the gatemeans rexternal, adhered to by four ping researches and replies.
The complying with table takes the first structure in the Wireshark capture and display screens the data in the Ethernet II header fields.
|Preamble||Not displayed in capture||This area contains synchronizing bits, processed by the NIC hardware.|
|Destination Address||Broadactors (ff:ff:ff:ff:ff:ff)||Layer 2 addresses for the framework. Each resolve is 48 bits long, or 6 octets, expressed as 12 hexadecimal digits, 0-9,A-F.A widespread format is 12:34:56:78:9A:BC.The first 6 hex numbers indicate the manufacturer of the netoccupational interconfront card (NIC), the last 6 hex numbers are the serial variety of the NIC.The destination attend to may be a broadactors, which consists of all ones, or a uniactors. The source address is always uniactors.|
|Source Address||BelkinIn_9f:6b:8c (14:91:82:9f:6b:8c)|
For Ethernet II frames, this area contains a hexadecimal worth that is used to show the type of upper-layer protocol in the information area. There are plenty of upper-layer protocols sustained by Ethernet II. Two widespread framework forms are these:
0x0800 IPv4 Protocol
0x0806 Address Resolution Protocol (ARP)
|Data||ARP||Contains the encapsulated upper-level protocol. The data field is in between 46 – 1,500 bytes.|
|FCS||Not presented in capture||Frame Check Sequence, offered by the NIC to determine errors in the time of transmission. The value is computed by the sending machine, encompassing structure addresses, type, and information area. It is verified by the receiver.|
What is significant about the contents of the location deal with field?
All hosts on the LAN will certainly receive this broadcast framework. The organize via the IP address of 192.168.1.1 (default gateway) will sfinish a unicast reply to the source (COMPUTER host). This reply contains the MAC attend to of the NIC of the default gateway.
Why does the PC sfinish out a broadcast ARP prior to sending the first ping request?
Before the COMPUTER have the right to send a ping repursuit to a host, it needs to identify the destination MAC resolve prior to it can build the frame header for that ping research. The ARP broadcast is provided to research the MAC attend to of the host with the IP resolve had in the ARP.
What is the MAC attend to of the resource in the first frame? _______________________ It varies; in this case, it is 14:91:82:9f:6b:8c
What is the Vendor ID (OUI) of the Source NIC? __________________________ It varies, in this situation, it is BelkinIn (Belkin International Inc.)
What portion of the MAC attend to is the OUI?
The first 3 octets of the MAC attend to suggest the OUI.
What is the NIC serial number of the source? _________________________________ It may differ, it is 9f:6b:8c in this case
Part 2: Use Wireshark to Record and Analyze Ethernet Frames
In Part 2, you will certainly usage Wireshark to capture regional and remote Ethernet frames. You will then study the indevelopment that is consisted of in the frame header fields.Tip 1: Determine the IP address of the default gatemethod on your PC.
Open a command prompt window and also problem the ipconfig command.
What is the IP address of the PC default gateway? ________________________ Answers will certainly varyTip 2: Start capturing traffic on your PC NIC.Cshed Wireshark. No need to conserve the recorded information.
You deserve to usage the filter in Wireshark to block visibility of undesirable website traffic. The filter does not block the capture of unwanted data; it just filters what to display screen on the screen. For now, only ICMP traffic is to be shown.
In the Wireshark Filter box, kind icmp. The box have to turn green if you typed the filter correctly. If the box is green, click Apply (the right arrow) to use the filter.
From the command also window, ping the default gatemeans utilizing the IP address that you videotaped in Tip 1.Step 5: Stop capturing website traffic on the NIC.
Click the Speak Capture icon to sheight capturing website traffic.
The Wireshark primary window is separated into 3 sections: the packet list pane (top), the Packet Details pane (middle), and also the Packet Bytes pane (bottom). If you schosen the correct interface for packet recording in Tip 3, Wireshark need to screen the ICMP information in the packet list pane of Wireshark, equivalent to the following instance.
Click the Start Capture icon to begin a new Wireshark capture. You will certainly get a popup home window asking if you would certainly prefer to conserve the previous recorded packets to a record before founding a brand-new capture. Click Continue without Saving.
In the initially echo (ping) request framework, what are the resource and also destination MAC addresses?
Source: _________________________________ This must be the MAC attend to of the COMPUTER.
Destination: ______________________________ This need to be the MAC attend to of the Default Gateway.
What are the source and location IP addresses included in the data field of the frame?
Source: _________________________________ This is still the IP deal with of the PC.
Destination: ______________________________ This is the attend to of the server at www.cisco.com, 18.104.22.168 in the example.
Compare these addresses to the addresses you received in Tip 6. The just deal with that readjusted is the location IP resolve. Why has the location IP attend to readjusted, while the location MAC address remained the same?
Layer 2 frames never before leave the LAN. When a ping is issued to a remote organize, the resource will certainly usage the default gatemeans MAC resolve for the structure destination. The default gatemethod receives the packet, strips the Layer 2 framework information from the packet and then creates a new structure header through the MAC attend to of the following hop. This process proceeds from router to rexternal till the packet reaches its location IP attend to.
See more: Why Were The Border States Important To The North During The Civil War Weegy
Wireshark does not display screen the preamble field of a framework header. What does the preamble contain?
The preamble area includes salso octets of alternating 1010 sequences, and also one octet that signals the beginning of the structure, 10101011.