Provide steps on how to Use Wireshark to Capture and Analyze Ethernet Frames

You will use Wireshark to capture local and remote Ethernet frames. You will then examine
the information that is contained in the frame header fields.

Step 1. Examine the network configuration of H3.
a. Start and log into your CyberOps Workstation using the following credentials:
Username: analyst Password: cyberops

b. Open a terminal emulator to start mininet and enter the following command at the
prompt. When prompted, enter cyberops as the password.
```
[analyst@secOps ~]$ sudo
home/analyst/lab.support.files/scripts/cyberops_topo.py
[sudo] password for analyst:
```

c. At the mininet prompt, start terminal windows on host H3.
```
*** Starting CLI:
mininet> xterm H3
```

d. At the prompt on Node: h3, enter ifconfig to verify the IPv4 address and record the
MAC address.


e. At the prompt on Node: H3, enter netstat -r to display the default gateway information.

[root@secOps ~]# netstat -r

Kernel IP routing table

Destination Gateway Genmask Flags MSS Window irtt Iface

default 10.0.0.1 0.0.0.0 UG 0 0 0

H3-eth0

10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0

H3-eth0

f. What is the IP address of the default gateway for the host H3? 10.0.0.1
Step 2. Start capturing traffic on H3-eth0.
a. In the terminal window for Node: H3, enter arp -n to display the content of the arp cache.
[root@secOps analyst]# arp -n
b. If there is any existing arp information in the cache, clear it by entering the following
command: arp -d IP-address. Repeat until all the cached information has been cleared.

[root@secOps analyst]# arp -n

Address HWtype HWaddress Flags Mask Iface

10.0.0.11 ether 5a:d0:1d:01:9f:be C

H3-eth0

[root@secOps analyst]# arp -d 10.0.0.11

Address HWtype HWaddress Flags Mask Iface

10.0.0.11 (incomplete) C

H3-eth0

c. In the terminal window for Node: H3, open Wireshark and start a packet capture for
H3-eth0 interface.
[root@secOps analyst]# wireshark-gtk &

Step 3. Ping H1 from H3.
a. From the terminal on H3, ping the default gateway and stop after send 5 echo request
packets.
[root@secOps analyst]# ping -c 5 10.0.0.1
b. After the ping is completed, stop the Wireshark capture.
Step 4. Filter Wireshark to display only ICMP traffic.
Apply the icmp filter to the captured traffic so only ICMP traffic is shown in the results.
Step 5. Examine the first Echo (ping) request in Wireshark.
The Wireshark main window is divided into three sections: the Packet List pane (top), the
Packet Details pane (middle), and the Packet Bytes pane (bottom). If you selected the correct
interface for packet capturing in Step 3, Wireshark should display the ICMP information in
the Packet List pane of Wireshark, similar to the following example.

a. In the Packet List pane (top section), click the first frame listed. You should see Echo
(ping) request under the Info heading. This should highlight the line blue.
b. Examine the first line in the Packet Details pane (middle section). This line displays the
length of the frame; 98 bytes in this example.
c. The second line in the Packet Details pane shows that it is an Ethernet II frame. The
source and destination MAC addresses are also displayed.
What is the MAC address of the PC’s NIC?
42:28:b2:24:e0:cb in example
What is the default gateway’s MAC address?
92:66:62:f0:14:21 in example
d. You can click the arrow at the beginning of the second line to obtain more information
about the Ethernet II frame.
What type of frame is displayed?
0x0800 or an IPv4 frame type.
e. The last two lines displayed in the middle section provide information about the
data field of the frame. Notice that the data contains the source and destination IPv4
address information.
What is the source IP address?
10.0.0.13 in the example
What is the destination IP address?
10.0.0.1 in the example
f. You can click any line in the middle section to highlight that part of the frame (hex and
ASCII) in the Packet Bytes pane (bottom section). Click the Internet Control Message
Protocol line in the middle section and examine what is highlighted in the Packet Bytes
pane.

g. Click the next frame in the top section and examine an Echo reply frame. Notice that
the source and destination MAC addresses have reversed, because this frame was sent
from the default gateway router as a reply to the first ping.
What device and MAC address is displayed as the destination address?
The host H3, 42:28:b2:24:e0:cb in example.
Step 6. Start a new capture in Wireshark.
a. Click the Start Capture icon to start a new Wireshark capture. You will receive a
popup window asking if you would like to save the previous captured packets to a file
before starting a new capture. Click Continue without Saving.
b. In the terminal window of Node: H3, send 5 echo request packets to 172.16.0.40.
c. Stop capturing packets when the pings are completed.
Step 7. Examine the new data in the packet list pane of Wireshark.
In the first echo (ping) request frame, what are the source and destination MAC addresses?
Source:
This should be the MAC address of the PC.
Destination:
This should be the MAC address of the Default Gateway.
What are the source and destination IP addresses contained in the data field of the frame?
Source:
This is still the IP address of the PC.
Destination:
This is the address of the server at 172.16.0.40.
Compare these addresses to the addresses you received in Step 5. The only address that changed is the destination IP address. Why has the destination IP address changed, while the destination MAC address remained the same?
Layer 2 frames never leave the LAN. When a ping is issued to a remote host, the source will use the
Default Gateway’s MAC address for the frame destination. The Default Gateway receives the packet,
strips the Layer 2 frame information from the packet and then creates a new frame header with the next hop’s MAC address. This process continues from router to router until the packet reaches its destination IP address.