Lab – Using Wireshark to Examine Ethernet Frames Answers

Lab – Using Wireshark to Examine Ethernet Frames (Answers Version – Optional Lab)

Answers Note: Red font shade or gray highlights indicate message that appears in the instructor copy just. Optional activities are designed to enhance knowledge or to carry out additional exercise or both.

You are watching: Why does the pc send out a broadcast arp prior to sending the first ping request?




Part 1: Examine the Header Fields in an Ethernet II Frame

Part 2: Use Wireshark to Catch and also Analyze Ethernet Frames

Background / Scenario

When top layer protocols communicate via each various other, information flows dvery own the Open Systems Interlink (OSI) layers and also is encapsulated into a Layer 2 frame. The structure composition is dependent on the media access kind. For instance, if the upper layer protocols are TCP and also IP and the media access is Ethernet, then the Layer 2 frame encapsulation will certainly be Ethernet II. This is typical for a LAN setting.

When learning about Layer 2 principles, it is helpful to analyze framework header indevelopment. In the initially component of this lab, you will testimonial the areas included in an Ethernet II framework. In Part 2, you will certainly use Wireshark to capture and analyze Ethernet II framework header areas for regional and remote website traffic.

Answers Note: This lab assumes that the student is using a COMPUTER through internet accessibility. It likewise assumes that Wireshark has been pre-installed on the COMPUTER. The screenshots in this lab were taken from Wireshark v2.4.3 for Windows 10 (64bit).

Required Resources

1 PC (Windows 7, 8, or 10 with internet accessibility through Wireshark installed)

Part 1: Examine the Header Fields in an Ethernet II Frame

In Part 1, you will research the header areas and content in an Ethernet II framework. A Wireshark capture will certainly be used to study the contents in those areas.

Tip 1: Review the Ethernet II header field descriptions and also lengths.
8 Bytes6 Bytes6 Bytes2 Bytes46 – 1500 Bytes4 Bytes
Step 2: Examine the network-related configuration of the PC.

This PC hold IP address is and also the default gatemethod has an IP attend to of


Step 3: Examine Ethernet frames in a Wireshark capture.

The Wireshark capture listed below reflects the packets created by a ping being issued from a COMPUTER organize to its default gatemethod. A filter has actually been applied to Wireshark to watch the ARP and ICMP protocols just. The session starts through an ARP query for the MAC deal with of the gatemeans rexternal, adhered to by four ping researches and replies.


Step 4: Examine the Ethernet II header contents of an ARP request.

The complying with table takes the first structure in the Wireshark capture and display screens the data in the Ethernet II header fields.

PreambleNot displayed in captureThis area contains synchronizing bits, processed by the NIC hardware.
Destination AddressBroadactors (ff:ff:ff:ff:ff:ff)Layer 2 addresses for the framework. Each resolve is 48 bits long, or 6 octets, expressed as 12 hexadecimal digits, 0-9,A-F.A widespread format is 12:34:56:78:9A:BC.The first 6 hex numbers indicate the manufacturer of the netoccupational interconfront card (NIC), the last 6 hex numbers are the serial variety of the NIC.The destination attend to may be a broadactors, which consists of all ones, or a uniactors. The source address is always uniactors.
Source AddressBelkinIn_9f:6b:8c (14:91:82:9f:6b:8c)
Frame Type0x0806

For Ethernet II frames, this area contains a hexadecimal worth that is used to show the type of upper-layer protocol in the information area. There are plenty of upper-layer protocols sustained by Ethernet II. Two widespread framework forms are these:

Value Description

0x0800 IPv4 Protocol

0x0806 Address Resolution Protocol (ARP)

DataARPContains the encapsulated upper-level protocol. The data field is in between 46 – 1,500 bytes.
FCSNot presented in captureFrame Check Sequence, offered by the NIC to determine errors in the time of transmission. The value is computed by the sending machine, encompassing structure addresses, type, and information area. It is verified by the receiver.

What is significant about the contents of the location deal with field?


All hosts on the LAN will certainly receive this broadcast framework. The organize via the IP address of (default gateway) will sfinish a unicast reply to the source (COMPUTER host). This reply contains the MAC attend to of the NIC of the default gateway.

Why does the PC sfinish out a broadcast ARP prior to sending the first ping request?


Before the COMPUTER have the right to send a ping repursuit to a host, it needs to identify the destination MAC resolve prior to it can build the frame header for that ping research. The ARP broadcast is provided to research the MAC attend to of the host with the IP resolve had in the ARP.

What is the MAC attend to of the resource in the first frame? _______________________ It varies; in this case, it is 14:91:82:9f:6b:8c

What is the Vendor ID (OUI) of the Source NIC? __________________________ It varies, in this situation, it is BelkinIn (Belkin International Inc.)

What portion of the MAC attend to is the OUI?


The first 3 octets of the MAC attend to suggest the OUI.

What is the NIC serial number of the source? _________________________________ It may differ, it is 9f:6b:8c in this case

Part 2: Use Wireshark to Record and Analyze Ethernet Frames

In Part 2, you will certainly usage Wireshark to capture regional and remote Ethernet frames. You will then study the indevelopment that is consisted of in the frame header fields.

Tip 1: Determine the IP address of the default gatemethod on your PC.

Open a command prompt window and also problem the ipconfig command.

What is the IP address of the PC default gateway? ________________________ Answers will certainly vary

Tip 2: Start capturing traffic on your PC NIC.Cshed Wireshark. No need to conserve the recorded information.
Open Wireshark, begin data capture.
Observe the traffic that appears in the packet list home window.
Step 3: Filter Wireshark to screen only ICMP web traffic.

You deserve to usage the filter in Wireshark to block visibility of undesirable website traffic. The filter does not block the capture of unwanted data; it just filters what to display screen on the screen. For now, only ICMP traffic is to be shown.

In the Wireshark Filter box, kind icmp. The box have to turn green if you typed the filter correctly. If the box is green, click Apply (the right arrow) to use the filter.


Step 4: From the command also prompt home window, ping the default gatemeans of your COMPUTER.

From the command also window, ping the default gatemeans utilizing the IP address that you videotaped in Tip 1.

Step 5: Stop capturing website traffic on the NIC.

Click the Speak Capture icon to sheight capturing website traffic.


Tip 6: Examine the initially Echo (ping) repursuit in Wireshark.

The Wireshark primary window is separated into 3 sections: the packet list pane (top), the Packet Details pane (middle), and also the Packet Bytes pane (bottom). If you schosen the correct interface for packet recording in Tip 3, Wireshark need to screen the ICMP information in the packet list pane of Wireshark, equivalent to the following instance.


In the packet list pane (optimal section), click the first structure listed. You must see Echo (ping) request under the Info heading. This need to highlight the line blue.Examine the initially line in the packet details pane (middle section). This line displays the size of the frame; 74 bytes in this instance.The second line in the packet details pane shows that it is an Ethernet II frame. The source and location MAC addresses are likewise shown.What is the MAC deal with of the PC NIC? ________________________ 00:26:b9:dd:00:91 in exampleWhat is the default gateway’s MAC address? ______________________ 14:91:82:9f:6b:8c in exampleYou deserve to click the plus (+) authorize at the start of the second line to achieve more indevelopment about the Ethernet II framework. Notice that the plus authorize changes to a minus (-) authorize.What kind of framework is displayed? ________________________________ 0x0800 or an IPv4 structure type.The last 2 lines shown in the middle area provide information about the data area of the frame. Notice that the data consists of the resource and also destination IPv4 attend to indevelopment.What is the source IP address? _________________________________ in the exampleWhat is the destination IP address? ______________________________ in the exampleYou can click any line in the middle area to highlight that part of the structure (hex and also ASCII) in the Packet Bytes pane (bottom section). Click the Internet Control Message Protocol line in the middle area and research what is highlighted in the Packet Bytes pane.
What carry out the last 2 highlighted octets spell? ______ hiClick the following framework in the height section and also study an Echo reply frame. Notice that the source and also location MAC addresses have actually reversed, bereason this frame was sent out from the default gatemethod router as a reply to the initially ping.What gadget and also MAC address is presented as the location address?___________________________________________ The organize PC, 00:26:b9:dd:00:91 in example.Tip 7: Restart packet capture in Wireshark.

Click the Start Capture icon to begin a new Wireshark capture. You will certainly get a popup home window asking if you would certainly prefer to conserve the previous recorded packets to a record before founding a brand-new capture. Click Continue without Saving.


Tip 8: In the command also prompt home window, ping www.cisco.com.Step 9: Sheight recording packets.Tip 10: Examine the brand-new data in the packet list pane of Wireshark.

In the initially echo (ping) request framework, what are the resource and also destination MAC addresses?

Source: _________________________________ This must be the MAC attend to of the COMPUTER.

Destination: ______________________________ This need to be the MAC attend to of the Default Gateway.

What are the source and location IP addresses included in the data field of the frame?

Source: _________________________________ This is still the IP deal with of the PC.

Destination: ______________________________ This is the attend to of the server at www.cisco.com, in the example.

Compare these addresses to the addresses you received in Tip 6. The just deal with that readjusted is the location IP resolve. Why has the location IP attend to readjusted, while the location MAC address remained the same?


Layer 2 frames never before leave the LAN. When a ping is issued to a remote organize, the resource will certainly usage the default gatemeans MAC resolve for the structure destination. The default gatemethod receives the packet, strips the Layer 2 framework information from the packet and then creates a new structure header through the MAC attend to of the following hop. This process proceeds from router to rexternal till the packet reaches its location IP attend to.

See more: Why Were The Border States Important To The North During The Civil War Weegy


Wireshark does not display screen the preamble field of a framework header. What does the preamble contain?


The preamble area includes salso octets of alternating 1010 sequences, and also one octet that signals the beginning of the structure, 10101011.