rap – making use of Wireshark to examine Ethernet Frames Answers

Lab – utilizing Wireshark to study Ethernet Frames (Answers version – Optional Lab)

Answers Note: Red font shade or gray highlights show text that appears in the instructor copy only. Optional activities are designed to boost understanding or come provide additional practice or both.

You are watching: Why does the pc send out a broadcast arp prior to sending the first ping request?




Part 1: examine the Header fields in one Ethernet II Frame

Part 2: use Wireshark come Capture and also Analyze Ethernet Frames

Background / Scenario

When top layer protocols communicate with every other, data flows down the open Systems Interconnection (OSI) layers and is encapsulated right into a great 2 frame. The frame composition is dependent on the media access type. For example, if the upper layer protocols room TCP and IP and also the media access is Ethernet, then the class 2 framework encapsulation will certainly be Ethernet II. This is usual for a LAN environment.

When learning around Layer 2 concepts, the is useful to analyze framework header information. In the first part the this lab, girlfriend will evaluation the fields contained in an Ethernet II frame. In part 2, you will use Wireshark to capture and also analyze Ethernet II structure header fields for local and remote traffic.

Answers Note: This lab assumes the the student is making use of a pc with web access. It also assumes that Wireshark has been pre-installed ~ above the PC. The screenshots in this lab to be taken native Wireshark v2.4.3 for home windows 10 (64bit).

Required Resources

1 computer (Windows 7, 8, or 10 with internet accessibility with Wireshark installed)

Part 1: study the Header fields in an Ethernet II Frame

In component 1, you will research the header fields and content in an Ethernet II frame. A Wireshark record will be provided to study the materials in those fields.

Step 1: testimonial the Ethernet II header field descriptions and lengths.
8 Bytes6 Bytes6 Bytes2 Bytes46 – 1500 Bytes4 Bytes
Step 2: examine the network configuration of the PC.

This PC hold IP deal with is and also the default gateway has actually an IP address of


Step 3: study Ethernet frames in a Wireshark capture.

The Wireshark capture below shows the packets created by a ping being issued native a PC host to that default gateway. A filter has been applied to Wireshark to watch the ARP and ICMP protocols only. The session begins with an ARP query for the MAC attend to of the gateway router, followed by 4 ping requests and replies.


Step 4: research the Ethernet II header components of one ARP request.

The complying with table take away the very first frame in the Wireshark capture and displays the data in the Ethernet II header fields.

PreambleNot shown in captureThis field consists of synchronizing bits, handle by the NIC hardware.
Destination AddressBroadcast (ff:ff:ff:ff:ff:ff)Layer 2 addresses because that the frame. Each deal with is 48 bits long, or 6 octets, expressed as 12 hexadecimal digits, 0-9,A-F.A common format is 12:34:56:78:9A:BC.The an initial six hex numbers show the manufacturer of the network interface card (NIC), the last six hex numbers room the serial number of the NIC.The destination resolve may it is in a broadcast, which has all ones, or a unicast. The source address is always unicast.
Source AddressBelkinIn_9f:6b:8c (14:91:82:9f:6b:8c)
Frame Type0x0806

For Ethernet II frames, this field consists of a hexadecimal value that is offered to show the kind of upper-layer protocol in the data field. There are many upper-layer protocols supported by Ethernet II. Two usual frame varieties are these:

Value Description

0x0800 IPv4 Protocol

0x0806 address Resolution Protocol (ARP)

DataARPContains the encapsulated upper-level protocol. The data field is between 46 – 1,500 bytes.
FCSNot presented in captureFrame examine Sequence, supplied by the NIC to recognize errors throughout transmission. The worth is computed through the sending out machine, encompassing frame addresses, type, and also data field. It is showed by the receiver.

What is significant about the materials of the destination address field?


All master on the LAN will get this broadcast frame. The host with the IP address of (default gateway) will certainly send a unicast answer to the resource (PC host). This reply contains the MAC resolve of the NIC that the default gateway.

Why go the computer send the end a transfer ARP before sending the an initial ping request?


Before the PC deserve to send a ping inquiry to a host, it requirements to recognize the location MAC address before the can develop the frame header for that ping request. The ARP broadcast is used to request the MAC address of the organize with the IP deal with contained in the ARP.

What is the MAC resolve of the resource in the first frame? _______________________ it varies; in this case, it is 14:91:82:9f:6b:8c

What is the seller ID (OUI) the the source NIC? __________________________ the varies, in this case, that is BelkinIn (Belkin global Inc.)

What part of the MAC attend to is the OUI?


The very first 3 octets of the MAC resolve indicate the OUI.

What is the NIC serial number of the source? _________________________________ It might vary, the is 9f:6b:8c in this case

Part 2: use Wireshark come Capture and Analyze Ethernet Frames

In part 2, friend will usage Wireshark to catch local and remote Ethernet frames. You will certainly then research the information that is had in the structure header fields.

Step 1: recognize the IP address of the default gateway on her PC.

Open a command prompt window and worry the ipconfig command.

What is the IP resolve of the computer default gateway? ________________________ Answers will vary

Step 2: Start recording traffic top top your computer NIC.Close Wireshark. No must save the caught data.
Open Wireshark, begin data capture.
Observe the web traffic that shows up in the packet perform window.
Step 3: Filter Wireshark to display screen only ICMP traffic.

You deserve to use the filter in Wireshark come block visibility of unwanted traffic. The filter does no block the capture of undesirable data; it only filters what to display screen on the screen. Because that now, only ICMP traffic is to it is in displayed.

In the Wireshark Filter box, type icmp. The box must turn green if friend typed the filter correctly. If package is green, click Apply (the best arrow) to use the filter.


Step 4: indigenous the command note window, ping the default gateway of your PC.

From the command window, ping the default gateway making use of the IP address that you videotaped in action 1.

Step 5: Stop catching traffic top top the NIC.

Click the Stop Capture symbol to stop recording traffic.


Step 6: examine the first Echo (ping) inquiry in Wireshark.

The Wireshark main window is split into three sections: the packet perform pane (top), the Packet Details pane (middle), and also the Packet Bytes pane (bottom). If you selected the correct interface for packet capturing in action 3, Wireshark should display the ICMP details in the packet perform pane the Wireshark, comparable to the adhering to example.


In the packet list pane (top section), click the very first frame listed. You must see Echo (ping) request under the Info heading. This must highlight the heat blue.Examine the an initial line in the packet details pane (middle section). This line screens the size of the frame; 74 bytes in this example.The second line in the packet details pane shows that that is an Ethernet II frame. The resource and destination MAC addresses are also displayed.What is the MAC deal with of the computer NIC? ________________________ 00:26:b9:dd:00:91 in exampleWhat is the default gateway’s MAC address? ______________________ 14:91:82:9f:6b:8c in exampleYou can click the add to (+) sign at the start of the 2nd line come obtain an ext information about the Ethernet II frame. Notice that the plus sign changes to a minus (-) sign.What type of frame is displayed? ________________________________ 0x0800 or one IPv4 frame type.The last 2 lines presented in the center section administer information around the data ar of the frame. An alert that the data has the resource and location IPv4 attend to information.What is the resource IP address? _________________________________ in the exampleWhat is the location IP address? ______________________________ in the exampleYou can click any line in the middle section to to mark that component of the frame (hex and also ASCII) in the Packet Bytes pane (bottom section). Click the Internet regulate Message Protocol heat in the center section and examine what is emphasize in the Packet Bytes pane.
What carry out the last two highlighted octets spell? ______ hiClick the next framework in the top section and also examine one Echo answer frame. An alert that the source and location MAC addresses have actually reversed, due to the fact that this structure was sent out from the default gateway router together a reply to the very first ping.What maker and MAC attend to is presented as the destination address?___________________________________________ The host PC, 00:26:b9:dd:00:91 in example.Step 7: Restart packet record in Wireshark.

Click the Start Capture icon to start a new Wireshark capture. You will get a popup home window asking if you would like to conserve the previous captured packets come a file before beginning a new capture. Click Continue without Saving.


Step 8: In the command note window, ping www.cisco.com.Step 9: Stop capturing packets.Step 10: examine the new data in the packet perform pane that Wireshark.

In the very first echo (ping) request frame, what space the source and destination MAC addresses?

Source: _________________________________ This must be the MAC deal with of the PC.

Destination: ______________________________ This must be the MAC attend to of the Default Gateway.

What room the resource and location IP addresses had in the data field of the frame?

Source: _________________________________ This is quiet the IP attend to of the PC.

Destination: ______________________________ This is the resolve of the server in ~ www.cisco.com, in the example.

Compare this addresses come the addresses you got in step 6. The only deal with that readjusted is the destination IP address. Why has the location IP resolve changed, if the location MAC deal with remained the same?


Layer 2 frames never leave the LAN. As soon as a ping is issued come a remote host, the source will usage the default gateway MAC address for the structure destination. The default gateway receive the packet, strips the layer 2 framework information from the packet and also then create a new frame header v the MAC deal with of the next hop. This process continues from router to router till the packet will its destination IP address.

See more: 15 Reasons You Should Get A Guy Who Can Do Both Ideas, Get You A Man That Can Do Both


Wireshark go not display screen the preamble field of a structure header. What go the preamble contain?


The preamble field includes seven octets of alternating 1010 sequences, and also one octet the signals the start of the frame, 10101011.