Page 1
©
L
T
O
B
© 2013 Cisco and
Lab - Us
Topology
Objectives
Part 1: (O
Part 2: Ca
Start
Locat
Part 3: Ca
Start
Locat
Expla
Backgroun
Wiresharkanalysis, snetwork, taccording
Wiresharkcourses foWiresharkpacket IP
d/or its affiliates.
sing Wir
Optional) Dow
apture and A
and stop data
te the IP and
apture and A
and stop data
te the IP and
ain why MAC
nd / Scenar
k is a softwaresoftware and the sniffer "cag to the appro
k is a useful toor data analysk, although it addresses a
All rights reserve
eshark t
wnload and I
Analyze Loca
a capture of p
MAC address
Analyze Rem
a capture of p
MAC address
addresses fo
rio
e protocol anaprotocol deve
aptures" eachpriate RFC o
ool for anyonesis and troublmay already nd Ethernet fr
ed. This docume
to View
Install Wires
al ICMP Data
ping traffic to l
s information
ote ICMP Da
ping traffic to r
s information
r remote host
alyzer, or "paelopment, an protocol datar other specif
e working witleshooting. Thbe installed. Irame MAC ad
ent is Cisco Publi
Network
hark
in Wireshar
ocal hosts.
in captured P
ata in Wiresh
remote hosts
in captured P
ts are differen
acket sniffer" ad education. Aa unit (PDU) afications.
h networks ahis lab providIn this lab, yoddresses.
ic.
k Traffic
rk
PDUs.
hark
.
PDUs.
nt than the MA
application, uAs data streaand can deco
nd can be usdes instructionou will use Wir
c
AC addresses
sed for netwoams travel baode and analy
ed with most ns for downloareshark to ca
P
s of local hos
ork troubleshock and forth oyze its conten
labs in the Cading and inspture ICMP d
Page 1 of 20
sts.
ooting, over the nt
CNA stalling data
Page 2
L
©
R
P
S
Lab - Using W
© 2013 Cisco and
Required R
1 PC
Additi
Part 1: (
Wiresharksource so1 of this la
Note: If Wis not inst
Step 1: Do
a. Wires
b. Click
c. Chooinstan
Wireshark to
d/or its affiliates.
Resources
(Windows 7,
onal PC(s) on
(Optional
k has becomeoftware is avaab, you will do
Wireshark is aalled on your
ownload Wir
shark can be d
Download W
se the softwance, if you hav
View Netwo
All rights reserve
Vista, or XP w
n a local-area
l) Downlo
e the industryilable for manownload and
lready installePC, check w
reshark.
downloaded f
Wireshark.
are version yove a 64-bit PC
ork Traffic
ed. This docume
with Internet a
a network (LA
oad and I
standard pacny different opinstall the Wi
ed on your PCwith your instru
from www.wir
ou need basedC running Win
ent is Cisco Publi
access)
AN) will be use
nstall Wi
cket-sniffer prperating systereshark softw
C, you can skuctor about yo
reshark.org.
d on your PCndows, choos
ic.
ed to reply to
reshark
rogram used ems, includingware program
kip Part 1 andour academy
C’s architecturse Windows
ping request
by network eg Windows, M on your PC.
d go directly to’s software do
re and operatiInstaller (64-
P
ts.
ngineers. ThiMac, and Linu
o Part 2. If Wiownload polic
ing system. F-bit).
Page 2 of 20
is open ux. In Part
ireshark cy.
For
Page 3
L
©
S
Lab - Using W
© 2013 Cisco and
After browsfolder
Step 2: Ins
a. The dDoub
b. RespoWiresIt is reYes to
c. If this navig
Wireshark to
d/or its affiliates.
making a seleser and operar.
stall Wiresh
downloaded file-click the file
ond to any seshark on your ecommendedo uninstall the
is the first timate to the Wir
View Netwo
All rights reserve
ection, the doating system t
ark.
le is named We to start the
ecurity messaPC, you will that you rem
e previous ve
me to install Wreshark Setup
ork Traffic
ed. This docume
ownload shouthat you use.
Wireshark-wiinstallation pr
ages that maybe prompted
move the old vrsion of Wires
Wireshark, or ap wizard. Clic
ent is Cisco Publi
ld start. The lFor Windows
in64-x.x.x.exrocess.
y display on yoto uninstall th
version of Wirshark.
after you havk Next.
ic.
location of thes users, the d
xe, where x re
our screen. Ifhe old versionreshark prior t
ve completed
e downloadedefault location
epresents the
f you already n before instato installing a
the uninstall
P
d file dependsn is the Down
e version num
have a copy alling the new nother versio
process, you
Page 3 of 20
s on the nloads
mber.
of version.
on. Click
will
Page 4
L
©
Lab - Using W
© 2013 Cisco and
d. Contindispla
e. Keep
Wireshark to
d/or its affiliates.
nue advancinays.
the default se
View Netwo
All rights reserve
ng through the
ettings on the
ork Traffic
ed. This docume
e installation p
e Choose Com
ent is Cisco Publi
process. Click
mponents win
ic.
k I Agree whe
ndow and clic
en the Licens
ck Next.
P
se Agreement
Page 4 of 20
t window
Page 5
L
©
Lab - Using W
© 2013 Cisco and
f. Choo
g. You crecom
Wireshark to
d/or its affiliates.
se your desir
can change thmmended that
View Netwo
All rights reserve
ed shortcut o
he installationt you keep the
ork Traffic
ed. This docume
ptions and cli
location of We default loca
ent is Cisco Publi
ick Next.
Wireshark, butation.
ic.
t unless you hhave limited d
P
disk space, it
Page 5 of 20
is
Page 6
L
©
Lab - Using W
© 2013 Cisco and
h. To cayour Pversioclickin
i. Finish
j. WiresNext
Wireshark to
d/or its affiliates.
apture live netPC, the Instalon that comesng the Install
h the WinPcap
shark starts inwhen the inst
View Netwo
All rights reserve
twork data, Wl check box w
s with WireshaWinPcap x.x
p Setup Wiza
nstalling its filetallation is co
ork Traffic
ed. This docume
WinPcap mustwill be unchecark, it is recomx.x (version n
ard if installing
es and a sepamplete.
ent is Cisco Publi
be installed ocked. If your inmmend that y
number) chec
g WinPcap.
arate window
ic.
on your PC. Installed versiyou allow the ck box.
displays with
f WinPcap is ion of WinPcanewer versio
h the status of
P
already instaap is older thaon to be instal
f the installati
Page 6 of 20
alled on an the lled by
ion. Click
Page 7
L
©
P
S
Lab - Using W
© 2013 Cisco and
k. Click
Part 2: C
In Part 2 oWiresharkclarify how
Step 1: Re
For this laaddress, a
Wireshark to
d/or its affiliates.
Finish to com
Capture a
of this lab, yok. You will alsw packet head
etrieve your
ab, you will nealso called th
View Netwo
All rights reserve
mplete the Wi
and Analy
u will ping anso look inside ders are used
PC’s interf
eed to retrievee MAC addre
ork Traffic
ed. This docume
reshark insta
yze Local
other PC on tthe frames c
d to transport
face addres
e your PC’s IPess.
ent is Cisco Publi
all process.
ICMP Da
the LAN and aptured for spdata to their
ses.
P address and
ic.
ata in Wir
capture ICMPpecific informdestination.
d its network
reshark
P requests anmation. This an
interface card
P
nd replies in nalysis should
d (NIC) physi
Page 7 of 20
d help to
ical
Page 8
L
©
S
Lab - Using W
© 2013 Cisco and
a. Open
b. Note y
c. Ask athem
Step 2: Sta
a. On yomenu
b. After W
Note:
Wireshark to
d/or its affiliates.
a command
your PC inter
a team membewith your MA
art Wiresha
our PC, click t. Double-click
Wireshark sta
Clicking the
View Netwo
All rights reserve
window, type
rface’s IP add
er for their PCAC address at
rk and begi
the Windows k Wireshark.
arts, click Inte
first interface
ork Traffic
ed. This docume
e ipconfig /al
dress and MA
C’s IP addresst this time.
in capturing
Start button
erface List.
e icon in the ro
ent is Cisco Publi
l, and then pr
AC (physical) a
s and provide
g data.
to see Wiresh
ow of icons al
ic.
ress Enter.
address.
e your PC’s IP
hark listed as
lso opens the
P address to t
s one of the pr
e Interface Lis
P
them. Do not
rograms on th
st.
Page 8 of 20
provide
he pop-up
Page 9
L
©
Lab - Using W
© 2013 Cisco and
c. On thLAN.
Note:buttonStep
d. After y
Wireshark to
d/or its affiliates.
e Wireshark:
If multiple intn, and then cl1b. Close the
you have che
View Netwo
All rights reserve
Capture Inte
terfaces are lick the 802.3
e Interface De
ecked the corr
ork Traffic
ed. This docume
rfaces window
isted and you (Ethernet) ta
etails window
rect interface
ent is Cisco Publi
w, click the ch
u are unsure wab. Verify thaafter verifying
, click Start to
ic.
heck box nex
which interfacat the MAC adg the correct i
o start the da
xt to the interfa
ce to check, cddress matcheinterface.
ta capture.
P
ace connecte
click the Detaes what you n
Page 9 of 20
ed to your
ails noted in
Page 10
L
©
Lab - Using W
© 2013 Cisco and
Informcolors
e. This iyour Pcaptuthe Fi(ping)
Wireshark to
d/or its affiliates.
mation will stas based on pr
nformation caPC and the LAred by Wireshlter box at the) PDUs.
View Netwo
All rights reserve
art scrolling dorotocol.
an scroll by veAN. We can ahark. For thise top of Wires
ork Traffic
ed. This docume
own the top s
ery quickly deapply a filter t lab, we are oshark and pre
ent is Cisco Publi
ection in Wire
epending on wto make it easonly interestedess Enter or c
ic.
eshark. The d
what communsier to view and in displayin
click on the Ap
data lines will
nication is taknd work with
ng ICMP (pingpply button to
Pa
appear in diff
king place betthe data that
g) PDUs. Typeo view only IC
age 10 of 20
fferent
tween is being e icmp in CMP
Page 11
L
©
Lab - Using W
© 2013 Cisco and
f. This finterfareceivWires
Note:blockion ho
g. Stop c
Wireshark to
d/or its affiliates.
filter causes aace. Bring up ved from yourshark again.
If your team ing these req
ow to allow IC
capturing dat
View Netwo
All rights reserve
all data in the the comman
r team membe
member’s PCuests. PleaseMP traffic thro
a by clicking t
ork Traffic
ed. This docume
top window tod prompt winer. Notice tha
C does not ree see Appendough the firew
the Stop Cap
ent is Cisco Publi
o disappear, dow that you
at you start se
eply to your pidix A: Allowingwall using Win
pture icon.
ic.
but you are sopened earli
eeing data ap
ngs, this mayg ICMP Traffindows 7.
still capturing ier and ping thpear in the to
y be because c Through a F
Pa
the traffic on he IP address
op window of
their PC firewFirewall for in
age 11 of 20
the s that you
wall is nformation
Page 12
L
©
S
Lab - Using W
© 2013 Cisco and
Step 3: Ex
In Step 3,data is dissummary in the top section di
a. Click has y
Wireshark to
d/or its affiliates.
amine the c
examine thesplayed in throf the IP pacpart of the scsplays the raw
the first ICMPour PC’s IP a
View Netwo
All rights reserve
captured da
e data that waee sections: 1
cket informatiocreen and sepw data of eac
P request PDUaddress, and t
ork Traffic
ed. This docume
ata.
as generated b1) The top seon listed, 2) thparates a capch layer. The
U frames in ththe Destinatio
ent is Cisco Publi
by the ping reection displayshe middle secptured PDU fraraw data is d
he top sectionon contains th
ic.
equests of yous the list of PDction lists PDUame by its prisplayed in bo
n of Wiresharhe IP address
ur team memDU frames caU informationrotocol layers,oth hexadecim
rk. Notice thats of the teamm
Pa
mber’s PC. Wiaptured with an for the frame, and 3) the bmal and decim
t the Source cmate’s PC yo
age 12 of 20
reshark a e selected bottom mal form.
column u pinged.
Page 13
L
©
P
S
Lab - Using W
© 2013 Cisco and
b. With tthe le
Does
Does
How i
Note:packefor tra
Part 3: C
In Part 3, pings. Yo
Step 1: Sta
a. Click
Wireshark to
d/or its affiliates.
this PDU framft of the Ethe
the Source M
the Destinati
s the MAC ad
In the precedet PDU (IPv4 ansmission on
Capture a
you will ping u will then de
art capturin
the Interface
View Netwo
All rights reserve
me still selecternet II row to
MAC address
on MAC addr
ddress of the
ding exampleheader) whic
n the LAN.
and Analy
remote hoststermine what
g data on in
e List icon to
ork Traffic
ed. This docume
ed in the top sview the Des
match your P
ress in Wiresh
pinged PC o
e of a capturedch is then enc
yze Remo
s (hosts not ot is different a
nterface.
bring up the l
ent is Cisco Publi
section, navigstination and S
PC’s interface
hark match th
btained by yo
d ICMP requecapsulated in a
ote ICMP
n the LAN) anabout this data
ist PC interfa
ic.
gate to the miSource MAC
e?
he MAC addre
our PC?
est, ICMP datan Ethernet I
Data in W
nd examine tha from the da
aces again.
iddle section. addresses.
ess that of yo
ta is encapsuI frame PDU
Wireshark
he generatedta examined
Pa
Click the plu
our team mem
ulated inside a(Ethernet II h
k
d data from thin Part 2.
age 13 of 20
s sign to
mber’s?
an IPv4 header)
ose
Page 14
L
©
Lab - Using W
© 2013 Cisco and
b. Make
c. A winneces
Wireshark to
d/or its affiliates.
sure the che
dow promptsssary to save
View Netwo
All rights reserve
eck box next to
to save the pthis data. Clic
ork Traffic
ed. This docume
o the LAN int
previously capck Continue
ent is Cisco Publi
terface is chec
ptured data bwithout Sav
ic.
cked, and the
before startingving.
en click Start
g another cap
Pa
.
pture. It is not
age 14 of 20
Page 15
L
©
S
Lab - Using W
© 2013 Cisco and
d. With t
1) w
2) w
3) w
Note:an IP
e. You c
Step 2: Ex
a. Revieyou p
1st Lo
2nd Lo
3rd Lo
Wireshark to
d/or its affiliates.
the capture a
www.yahoo.co
www.cisco.com
www.google.co
When you paddress. Not
can stop captu
amining an
ew the captureinged. List th
cation: IP
ocation: IP
ocation: IP
View Netwo
All rights reserve
ctive, ping the
om
m
om
ing the URLste the IP addr
uring data by
d analyzing
ed data in Wie destination
:
:
:
ork Traffic
ed. This docume
e following th
listed, noticeress received
clicking the S
g the data fr
reshark, examIP and MAC
ent is Cisco Publi
ree website U
e that the Dom for each URL
Stop Capture
rom the rem
mine the IP anaddresses fo
MAC:
MAC:
MAC:
ic.
URLs:
main Name SeL.
e icon.
mote hosts.
nd MAC addror all three loc
erver (DNS) t
resses of the cations in the
Pa
translates the
three locationspace provid
age 15 of 20
e URL to
ns that ded.
Page 16
L
©
R
A
S
Lab - Using W
© 2013 Cisco and
b. What
c. How d
Reflection
Why doesremote ho
Appendix A
If the memappendix the new IC
Step 1: Cre
a. From
b. From
Wireshark to
d/or its affiliates.
is significant
does this info
s Wireshark sosts?
A: Allowing
mbers of yourdescribes hoCMP rule afte
eate a new
the Control P
the System a
View Netwo
All rights reserve
about this inf
rmation differ
how the actu
g ICMP Tra
r team are unaow to create aer you have co
inbound ru
Panel, click th
and Security w
ork Traffic
ed. This docume
formation?
r from the loca
al MAC addre
affic Throu
able to ping y rule in the firompleted the
le allowing
e System an
window, click
ent is Cisco Publi
al ping inform
ess of the loc
ugh a Firew
your PC, the frewall to allowlab.
ICMP traffi
nd Security o
Windows Fi
ic.
mation you rec
cal hosts, but
wall
firewall may bw ping reques
c through t
option.
irewall.
ceived in Part
not the actua
be blocking thsts. It also des
the firewall.
Pa
t 2?
al MAC addres
hose requestsscribes how t
age 16 of 20
ss for the
s. This o disable
Page 17
L
©
Lab - Using W
© 2013 Cisco and
c. In the
d. On thNew R
Wireshark to
d/or its affiliates.
e left pane of t
e Advanced SRule… on the
View Netwo
All rights reserve
the Windows
Security winde right sideba
ork Traffic
ed. This docume
Firewall wind
ow, choose tar.
ent is Cisco Publi
dow, click Adv
he Inbound R
ic.
vanced setti
Rules option
ngs.
on the left sid
Pa
debar and the
age 17 of 20
en click
Page 18
L
©
Lab - Using W
© 2013 Cisco and
e. This land c
f. In theICMP
Wireshark to
d/or its affiliates.
aunches the click Next
e left pane, cliPv4, and then
View Netwo
All rights reserve
New Inbound
ck the Protocclick Next.
ork Traffic
ed. This docume
d Rule wizard
col and Ports
ent is Cisco Publi
. On the Rule
s option and u
ic.
e Type screen
using the Pro
n, click the Cu
otocol type dro
Pa
ustom radio b
op-down men
age 18 of 20
button
nu, select
Page 19
L
©
S
Lab - Using W
© 2013 Cisco and
g. In the
This n
Step 2: Dis
After the lthe Disabdeletes it
a. On thcreate
Wireshark to
d/or its affiliates.
e left pane, cli
new rule shou
sabling or d
ab is completble Rule optiofrom the list o
e Advanced Sed in Step 1.
View Netwo
All rights reserve
ck the Name
uld allow your
deleting the
te, you may won allows you of Inbound Ru
Security wind
ork Traffic
ed. This docume
option and in
r team membe
new ICMP
want to disablto enable the
ules.
ow, in the left
ent is Cisco Publi
n the Name fie
ers to receive
rule.
e or even dele rule again a
t pane, click I
ic.
eld, type Allo
e ping replies
lete the new rat a later date
Inbound Rule
ow ICMP Req
from your PC
rule you creat. Deleting the
es and then l
Pa
quests. Click
C.
ted in Step 1.e rule perman
ocate the rule
age 19 of 20
Finish.
. Using ently
e you
Page 20
L
©
Lab - Using W
© 2013 Cisco and
b. To dischangstatus
c. To peagain
Wireshark to
d/or its affiliates.
sable the rulege to Enable s of the rule a
ermanently de to allow ICM
View Netwo
All rights reserve
e, click the DisRule. You ca
also shows in
elete the ICMPP replies.
ork Traffic
ed. This docume
sable Rule opan toggle backthe Enabled
P rule, click D
ent is Cisco Publi
ption. When yk and forth becolumn of the
Delete. If you
ic.
you choose thetween Disabe Inbound Ru
choose this o
his option, yoble Rule and Eles list.
option, you m
Pa
u will see thisEnable Rule;
ust re-create
age 20 of 20
s option the
the rule