Issuu on Google+

L Lab - Us sing Wireshark to t View Network k Traffic c T Topology

O Objectives Part 1: (O Optional) Dow wnload and Install I Wireshark Part 2: Ca apture and Analyze A Loca al ICMP Data in Wiresharrk 

Start and stop data a capture of ping p traffic to local hosts.

Locatte the IP and MAC address s information in captured P PDUs.

Part 3: Ca apture and Analyze A Remote ICMP Da ata in Wiresh hark 

Start and stop data a capture of ping p traffic to remote r hosts .

Locatte the IP and MAC address s information in captured P PDUs.

Expla ain why MAC addresses for remote hostts are differen nt than the MA AC addressess of local hossts.

B Backgroun nd / Scenarrio Wireshark k is a software e protocol ana alyzer, or "pa acket sniffer" a application, used for netwo ork troublesho ooting, analysis, software s and protocol deve elopment, and education. A ams travel back and forth o over the As data strea network, the t sniffer "ca aptures" each protocol data a unit (PDU) a and can deco ode and analyyze its conten nt according g to the appropriate RFC or other speciffications. Wireshark k is a useful to ool for anyone e working with networks a nd can be used with most labs in the CCNA ading and insstalling courses fo or data analys sis and troublleshooting. Th his lab provid des instruction ns for downloa Wireshark k, although it may already be installed. In I this lab, yo ou will use Wirreshark to capture ICMP d data packet IP addresses and Ethernet frrame MAC ad ddresses.

© 2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic.

P Page 1 of 20


L Lab - Using Wireshark W to View Netwo ork Traffic

R Required Resources R 

1 PC (Windows 7, Vista, or XP with w Internet access) a

Additional PC(s) on n a local-area a network (LA AN) will be use ed to reply to ping requestts.

P Part 1:

(Optional ( l) Downlo oad and Install Wireshark

Wireshark k has become e the industry standard pac cket-sniffer prrogram used by network engineers. Thiis open source so oftware is available for man ny different op perating syste ems, including g Windows, M Mac, and Linu ux. In Part 1 of this la ab, you will do ownload and install the Wireshark softw ware program on your PC. Note: If Wireshark W is already installe ed on your PC C, you can skkip Part 1 and d go directly to o Part 2. If Wiireshark is not installed on your PC, check with w your instru uctor about yo our academy’s software do ownload policcy.

S Step 1: Do ownload Wirreshark. a. Wires shark can be downloaded d from f www.wirreshark.org. b. Click Download Wireshark. W

c.

are version yo ou need based d on your PC C’s architecturre and operatiing system. F For Choose the softwa nce, if you hav ve a 64-bit PC C running Win ndows, choosse Windows Installer (64--bit). instan

© 2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic.

P Page 2 of 20


L Lab - Using Wireshark W to View Netwo ork Traffic After making a sele ection, the do ownload should start. The llocation of the e downloaded d file dependss on the ser and opera ating system that t you use. For Windowss users, the default location n is the Down nloads brows folderr.

S Step 2: Ins stall Wireshark. a. The downloaded d file is named Wireshark-wi W in64-x.x.x.ex xe, where x re epresents the e version num mber. Double-click the file e to start the installation prrocess. b. Respo ond to any se ecurity messa ages that may y display on yo our screen. Iff you already have a copy of Wires shark on your PC, you will be prompted to uninstall th he old version n before insta alling the new version. It is re ecommended that you rem move the old version v of Wirreshark prior tto installing another versio on. Click Yes to o uninstall the e previous version of Wires shark.

c.

If this is the first tim me to install Wireshark, W or after a you havve completed the uninstall process, you will navigate to the Wirreshark Setup p wizard. Click Next.

Š 2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic.

P Page 3 of 20


L Lab - Using Wireshark W to View Netwo ork Traffic d. Contin nue advancin ng through the e installation process. p Clickk I Agree whe en the Licensse Agreementt window displa ays.

e. Keep the default se ettings on the e Choose Com mponents win ndow and clicck Next.

Š 2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic.

P Page 4 of 20


L Lab - Using Wireshark W to View Netwo ork Traffic f.

Choose your desired shortcut options and cliick Next.

g. You can c change th he installation location of Wireshark, W butt unless you have limited d disk space, it is recom mmended thatt you keep the e default loca ation.

Š 2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic.

P Page 5 of 20


L Lab - Using Wireshark W to View Netwo ork Traffic h. To ca apture live nettwork data, WinPcap W must be installed o on your PC. If WinPcap is already insta alled on your PC, P the Install check box will w be unchec cked. If your in ap is older tha an the nstalled versiion of WinPca versio on that comes s with Wiresha ark, it is recom mmend that yyou allow the newer versio on to be installled by clickin ng the Install WinPcap x.x x.x (version number) n checck box. i.

Finish h the WinPcap p Setup Wiza ard if installing g WinPcap.

j.

Wires shark starts in nstalling its file es and a sepa arate window displays with h the status off the installatiion. Click Next when the insttallation is complete.

Š 2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic.

P Page 6 of 20


L Lab - Using Wireshark W to View Netwo ork Traffic k.

Click Finish to com mplete the Wireshark insta all process.

P Part 2: Capture C and a Analy yze Local ICMP Da ata in Wirreshark In Part 2 of o this lab, you will ping another PC on the t LAN and capture ICMP P requests an nd replies in Wireshark k. You will als so look inside the frames captured for sp pecific inform mation. This an nalysis should d help to clarify how w packet head ders are used d to transport data to their destination.

S Step 1: Re etrieve your PC’s interfface addresses. d its network interface card For this la ab, you will ne eed to retrieve e your PC’s IP P address and d (NIC) physiical address, also a called the MAC addre ess.

© 2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic.

P Page 7 of 20


L Lab - Using Wireshark W to View Netwo ork Traffic a. Open a command window, type e ipconfig /all, and then prress Enter. y PC interrface’s IP add dress and MA AC (physical) a address. b. Note your

c.

Ask a team membe er for their PC C’s IP address s and provide e your PC’s IP P address to tthem. Do not provide them with your MA AC address att this time.

S Step 2: Sta art Wireshark and begiin capturing g data. a. On yo our PC, click the t Windows Start button to see Wiresh hark listed ass one of the prrograms on th he pop-up menu. Double-click k Wireshark. b. After Wireshark W sta arts, click Inte erface List.

Note: Clicking the first interface e icon in the ro ow of icons allso opens the e Interface Lisst.

© 2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic.

P Page 8 of 20


L Lab - Using Wireshark W to View Netwo ork Traffic c.

On the Wireshark: Capture Interfaces window w, click the ch heck box nexxt to the interfa ace connecte ed to your LAN.

u are unsure w which interfacce to check, cclick the Deta ails Note: If multiple intterfaces are listed and you n, and then click the 802.3 (Ethernet) ta ab. Verify tha at the MAC ad ddress matche es what you n noted in button Step 1b. Close the e Interface De etails window after verifying g the correct iinterface.

y have che ecked the corrrect interface, click Start to o start the data capture. d. After you

Š 2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic.

P Page 9 of 20


L Lab - Using Wireshark W to View Netwo ork Traffic Inform mation will sta art scrolling do own the top section in Wire eshark. The d data lines will appear in diff fferent colors s based on prrotocol.

e. This information ca an scroll by ve ery quickly de epending on w what commun nication is takking place bettween your PC P and the LA AN. We can apply a a filter to t make it eassier to view an nd work with the data that is being captured by Wiresh hark. For this lab, we are only o interested d in displayin ng ICMP (ping g) PDUs. Type e icmp in the Filter box at the e top of Wires shark and pre ess Enter or cclick on the Ap pply button to o view only IC CMP (ping)) PDUs.

Š 2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic.

Pa age 10 of 20


L Lab - Using Wireshark W to View Netwo ork Traffic f.

This filter f causes all a data in the top window to o disappear, but you are sstill capturing the traffic on the interfa ace. Bring up the command prompt window that you opened earliier and ping th he IP addresss that you receiv ved from yourr team membe er. Notice tha at you start se eeing data appear in the to op window of Wires shark again.

Note: If your team member’s PC C does not re eply to your pi ngs, this mayy be because their PC firew wall is blockiing these requests. Please e see Append dix A: Allowing g ICMP Traffic Through a F Firewall for in nformation ndows 7. on ho ow to allow ICMP traffic thro ough the firew wall using Win g. Stop capturing c data by clicking the t Stop Cap pture icon.

Š 2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic.

Pa age 11 of 20


L Lab - Using Wireshark W to View Netwo ork Traffic

S Step 3: Examine the captured c da ata. In Step 3, examine the e data that wa as generated by b the ping re equests of you ur team mem mber’s PC. Wireshark data is dis splayed in three sections: 1) 1 The top se ection displayss the list of PD DU frames ca aptured with a summary of the IP pac cket informatio on listed, 2) th he middle secction lists PDU U information n for the frame e selected in the top part of the sc creen and sep parates a cap ptured PDU fra ame by its prrotocol layers,, and 3) the b bottom section displays the raw w data of eac ch layer. The raw data is d isplayed in bo oth hexadecim mal and decim mal form.

P request PDU U frames in th he top section n of Wiresharrk. Notice thatt the Source ccolumn a. Click the first ICMP a and the t Destinatio on contains th he IP addresss of the teamm mate’s PC you pinged. has your PC’s IP address,

© 2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic.

Pa age 12 of 20


L Lab - Using Wireshark W to View Netwo ork Traffic b. With this t PDU fram me still selecte ed in the top section, s navig gate to the miiddle section. Click the plus sign to the left of the Ethernet II row to view the Des stination and S Source MAC addresses.

Does the Source MAC M address match your PC’s P interface e?

Does the Destination MAC addrress in Wiresh hark match th he MAC addre ess that of yo our team mem mber’s?

How is the MAC ad ddress of the pinged PC obtained by yo our PC?

Note: In the preced ding example e of a captured d ICMP reque est, ICMP datta is encapsu ulated inside a an IPv4 packe et PDU (IPv4 header) whic ch is then enc capsulated in a an Ethernet II frame PDU (Ethernet II h header) for tra ansmission on n the LAN.

P Part 3: Capture C and a Analy yze Remo ote ICMP Data in W Wireshark k In Part 3, you will ping remote hosts s (hosts not on the LAN) an nd examine th he generated d data from those pings. You will then determine whatt is different about a this data a from the data examined in Part 2.

S Step 1: Sta art capturing data on in nterface. a. Click the Interface e List icon to bring up the list PC interfa aces again.

© 2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic.

Pa age 13 of 20


L Lab - Using Wireshark W to View Netwo ork Traffic b. Make sure the che eck box next to o the LAN intterface is checcked, and the en click Start.

c.

A window prompts to save the previously p cap ptured data b before starting g another cap pture. It is not neces ssary to save this data. Clic ck Continue without Sav ving.

Š 2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic.

Pa age 14 of 20


L Lab - Using Wireshark W to View Netwo ork Traffic d. With the t capture active, ping the e following three website U URLs: 1) www.yahoo.co w om 2) www.cisco.com w m 3) www.google.co w om

Note: When you ping the URLs listed, notice e that the Dom main Name Se erver (DNS) ttranslates the e URL to an IP address. Notte the IP addrress received for each URL L. e. You can c stop captu uring data by clicking the Stop S Capture e icon.

S Step 2: Examining and analyzing g the data frrom the rem mote hosts. a. Revie ew the capture ed data in Wireshark, exam mine the IP an nd MAC addrresses of the three location ns that you pinged. List the destination IP and MAC addresses fo or all three loccations in the space provid ded. 1st Location:

IP:

MAC:

nd

IP:

MAC:

rd

IP:

MAC:

2 Lo ocation: 3 Lo ocation:

Š 2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic.

Pa age 15 of 20


L Lab - Using Wireshark W to View Netwo ork Traffic b. What is significant about this infformation?

c.

How does d this information differr from the loca al ping inform mation you recceived in Partt 2?

R Reflection Why does s Wireshark show the actual MAC addre ess of the loccal hosts, but not the actua al MAC addresss for the remote ho osts?

A Appendix A: A Allowing g ICMP Tra affic Throu ugh a Firew wall If the mem mbers of yourr team are una able to ping your y PC, the ffirewall may b be blocking th hose requestss. This appendix describes ho ow to create a rule in the firrewall to allow w ping requessts. It also desscribes how to disable the new IC CMP rule afte er you have co ompleted the lab.

S Step 1: Cre eate a new inbound rule allowing ICMP traffi c through tthe firewall. a. From the Control Panel, P click the System an nd Security o option.

a Security window, w click Windows Fiirewall. b. From the System and

Š 2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic.

Pa age 16 of 20


L Lab - Using Wireshark W to View Netwo ork Traffic c.

In the e left pane of the t Windows Firewall wind dow, click Adv vanced settings.

d. On the Advanced Security S window, choose the Inbound R Rules option on the left sid debar and the en click New Rule‌ R on the e right sideba ar.

Š 2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic.

Pa age 17 of 20


L Lab - Using Wireshark W to View Netwo ork Traffic e. This launches the New Inbound d Rule wizard. On the Rule e Type screen n, click the Cu ustom radio b button c Next and click

f.

In the e left pane, click the Protoc col and Ports s option and u using the Pro otocol type dro op-down men nu, select ICMP Pv4, and then click Next.

Š 2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic.

Pa age 18 of 20


L Lab - Using Wireshark W to View Netwo ork Traffic g. In the e left pane, click the Name option and in n the Name fie eld, type Allo ow ICMP Req quests. Click Finish.

This new n rule shou uld allow yourr team membe ers to receive e ping replies from your PC C.

S Step 2: Dis sabling or deleting d the new ICMP rule. After the lab is complette, you may want w to disable or even dellete the new rrule you creatted in Step 1.. Using the Disab ble Rule optio on allows you to enable the e rule again a at a later date. Deleting the e rule permanently deletes it from the list of o Inbound Ru ules. a. On the Advanced Security S window, in the leftt pane, click IInbound Rule es and then locate the rule e you create ed in Step 1.

Š 2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic.

Pa age 19 of 20


L Lab - Using Wireshark W to View Netwo ork Traffic b. To dis sable the rule e, click the Dis sable Rule op ption. When yyou choose th his option, you will see thiss option chang ge to Enable Rule. You ca an toggle back k and forth be etween Disab ble Rule and E Enable Rule; the status s of the rule also a shows in the Enabled column of the e Inbound Rules list.

c.

To pe ermanently de elete the ICMP P rule, click Delete. D If you choose this o option, you must re-create the rule again to allow ICMP replies.

Š 2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic.

Pa age 20 of 20


Test