126.96.36.199 rap – making use of Wireshark to examine Ethernet Frames Answers
Lab – utilizing Wireshark to study Ethernet Frames (Answers version – Optional Lab)
Answers Note: Red font shade or gray highlights show text that appears in the instructor copy only. Optional activities are designed to boost understanding or come provide additional practice or both.
You are watching: Why does the pc send out a broadcast arp prior to sending the first ping request?
Part 1: examine the Header fields in one Ethernet II Frame
Part 2: use Wireshark come Capture and also Analyze Ethernet Frames
Background / Scenario
When top layer protocols communicate with every other, data flows down the open Systems Interconnection (OSI) layers and is encapsulated right into a great 2 frame. The frame composition is dependent on the media access type. For example, if the upper layer protocols room TCP and IP and also the media access is Ethernet, then the class 2 framework encapsulation will certainly be Ethernet II. This is usual for a LAN environment.
When learning around Layer 2 concepts, the is useful to analyze framework header information. In the first part the this lab, girlfriend will evaluation the fields contained in an Ethernet II frame. In part 2, you will use Wireshark to capture and also analyze Ethernet II structure header fields for local and remote traffic.
Answers Note: This lab assumes the the student is making use of a pc with web access. It also assumes that Wireshark has been pre-installed ~ above the PC. The screenshots in this lab to be taken native Wireshark v2.4.3 for home windows 10 (64bit).
Required Resources1 computer (Windows 7, 8, or 10 with internet accessibility with Wireshark installed)
Part 1: study the Header fields in an Ethernet II Frame
In component 1, you will research the header fields and content in an Ethernet II frame. A Wireshark record will be provided to study the materials in those fields.Step 1: testimonial the Ethernet II header field descriptions and lengths.
|8 Bytes||6 Bytes||6 Bytes||2 Bytes||46 – 1500 Bytes||4 Bytes|
This PC hold IP deal with is 192.168.1.147 and also the default gateway has actually an IP address of 192.168.1.1.
The Wireshark capture below shows the packets created by a ping being issued native a PC host to that default gateway. A filter has been applied to Wireshark to watch the ARP and ICMP protocols only. The session begins with an ARP query for the MAC attend to of the gateway router, followed by 4 ping requests and replies.
The complying with table take away the very first frame in the Wireshark capture and displays the data in the Ethernet II header fields.
|Preamble||Not shown in capture||This field consists of synchronizing bits, handle by the NIC hardware.|
|Destination Address||Broadcast (ff:ff:ff:ff:ff:ff)||Layer 2 addresses because that the frame. Each deal with is 48 bits long, or 6 octets, expressed as 12 hexadecimal digits, 0-9,A-F.A common format is 12:34:56:78:9A:BC.The an initial six hex numbers show the manufacturer of the network interface card (NIC), the last six hex numbers room the serial number of the NIC.The destination resolve may it is in a broadcast, which has all ones, or a unicast. The source address is always unicast.|
|Source Address||BelkinIn_9f:6b:8c (14:91:82:9f:6b:8c)|
For Ethernet II frames, this field consists of a hexadecimal value that is offered to show the kind of upper-layer protocol in the data field. There are many upper-layer protocols supported by Ethernet II. Two usual frame varieties are these:
0x0800 IPv4 Protocol
0x0806 address Resolution Protocol (ARP)
|Data||ARP||Contains the encapsulated upper-level protocol. The data field is between 46 – 1,500 bytes.|
|FCS||Not presented in capture||Frame examine Sequence, supplied by the NIC to recognize errors throughout transmission. The worth is computed through the sending out machine, encompassing frame addresses, type, and also data field. It is showed by the receiver.|
What is significant about the materials of the destination address field?
All master on the LAN will get this broadcast frame. The host with the IP address of 192.168.1.1 (default gateway) will certainly send a unicast answer to the resource (PC host). This reply contains the MAC resolve of the NIC that the default gateway.
Why go the computer send the end a transfer ARP before sending the an initial ping request?
Before the PC deserve to send a ping inquiry to a host, it requirements to recognize the location MAC address before the can develop the frame header for that ping request. The ARP broadcast is used to request the MAC address of the organize with the IP deal with contained in the ARP.
What is the MAC resolve of the resource in the first frame? _______________________ it varies; in this case, it is 14:91:82:9f:6b:8c
What is the seller ID (OUI) the the source NIC? __________________________ the varies, in this case, that is BelkinIn (Belkin global Inc.)
What part of the MAC attend to is the OUI?
The very first 3 octets of the MAC resolve indicate the OUI.
What is the NIC serial number of the source? _________________________________ It might vary, the is 9f:6b:8c in this case
Part 2: use Wireshark come Capture and Analyze Ethernet Frames
In part 2, friend will usage Wireshark to catch local and remote Ethernet frames. You will certainly then research the information that is had in the structure header fields.Step 1: recognize the IP address of the default gateway on her PC.
Open a command prompt window and worry the ipconfig command.
What is the IP resolve of the computer default gateway? ________________________ Answers will varyStep 2: Start recording traffic top top your computer NIC.Close Wireshark. No must save the caught data.
You deserve to use the filter in Wireshark come block visibility of unwanted traffic. The filter does no block the capture of undesirable data; it only filters what to display screen on the screen. Because that now, only ICMP traffic is to it is in displayed.
In the Wireshark Filter box, type icmp. The box must turn green if friend typed the filter correctly. If package is green, click Apply (the best arrow) to use the filter.
From the command window, ping the default gateway making use of the IP address that you videotaped in action 1.Step 5: Stop catching traffic top top the NIC.
Click the Stop Capture symbol to stop recording traffic.
The Wireshark main window is split into three sections: the packet perform pane (top), the Packet Details pane (middle), and also the Packet Bytes pane (bottom). If you selected the correct interface for packet capturing in action 3, Wireshark should display the ICMP details in the packet perform pane the Wireshark, comparable to the adhering to example.
Click the Start Capture icon to start a new Wireshark capture. You will get a popup home window asking if you would like to conserve the previous captured packets come a file before beginning a new capture. Click Continue without Saving.
In the very first echo (ping) request frame, what space the source and destination MAC addresses?
Source: _________________________________ This must be the MAC deal with of the PC.
Destination: ______________________________ This must be the MAC attend to of the Default Gateway.
What room the resource and location IP addresses had in the data field of the frame?
Source: _________________________________ This is quiet the IP attend to of the PC.
Destination: ______________________________ This is the resolve of the server in ~ www.cisco.com, 188.8.131.52 in the example.
Compare this addresses come the addresses you got in step 6. The only deal with that readjusted is the destination IP address. Why has the location IP resolve changed, if the location MAC deal with remained the same?
Layer 2 frames never leave the LAN. As soon as a ping is issued come a remote host, the source will usage the default gateway MAC address for the structure destination. The default gateway receive the packet, strips the layer 2 framework information from the packet and also then create a new frame header v the MAC deal with of the next hop. This process continues from router to router till the packet will its destination IP address.
See more: 15 Reasons You Should Get A Guy Who Can Do Both Ideas, Get You A Man That Can Do Both
Wireshark go not display screen the preamble field of a structure header. What go the preamble contain?
The preamble field includes seven octets of alternating 1010 sequences, and also one octet the signals the start of the frame, 10101011.