Lab – use Wireshark to examine Ethernet Frames (Answers Version)

Answers Note: Red font color or gray highlights show text that appears in the answers copy only.

You are watching: What is significant about the contents of the destination address field

Topology

*
*

Step 4: research the Ethernet II header contents of one ARP request.

The complying with table bring away the an initial frame in the Wireshark capture and displays the data in the Ethernet II header fields.


Field

Value

Description

Preamble

Not presented in capture

This field contains synchronizing bits, handle by the NIC hardware.

Destination Address

 

 

 

Source Address

 

Broadcast (ff:ff:ff:ff:ff:ff)

 

 

 

Netgear_99:c5:72 (30:46:9a:99:c5:72)

Layer 2 addresses because that the frame. Each resolve is 48 bits long, or 6 octets, expressed together 12 hexadecimal digits, 0-9,A-F.A typical format is 12:34:56:78:9A:BC.

The very first six hex numbers suggest the manufacturer the the network interface card (NIC), the last six hex numbers are the serial variety of the NIC.

The destination resolve may it is in a broadcast, which has all ones, or a unicast. The resource address is always unicast.

Frame Type

0x0806

For Ethernet II frames, this field consists of a hexadecimal worth that is used to show the form of upper–layer protocol in the data field. There are countless upper–layer protocols supported by Ethernet II. Two common frame varieties are these:

Value Description

0x0800 IPv4 Protocol

0x0806 address Resolution Protocol (ARP)

Data

ARP

Contains the encapsulated upper–level protocol. The data ar is between 46 – 1,500 bytes.

FCS

Not displayed in capture

Frame inspect Sequence, supplied by the NIC to identify errors during transmission. The value is computed by the sending out device, encompassing framework addresses, type, and data field. It is proved by the receiver.


What is significant about the components of the destination deal with field?

All hosts on the LAN will obtain this broadcast frame. The host with the IP resolve of 192.168.1.1 (default gateway) will certainly send a unicast answer to the resource (PC host). This reply contains the MAC attend to of the NIC the the default gateway.

Why does the pc send out a transfer ARP prior to sending the an initial ping request?

The computer cannot send a ping inquiry to a hold until it identify the destination MAC address, so the it can develop the framework header for the ping request. The ARP transfer is supplied to inquiry the MAC deal with of the host with the IP attend to contained in the ARP.

What is the MAC attend to of the source in the an initial frame?

It varies; in this case, it is f0:1f:af:50:fd:c8.

What is the seller ID (OUI) the the source NIC in the ARP reply?

It varies, in this case, that is Netgear.

What part of the MAC attend to is the OUI?

The an initial 3 octets that the MAC attend to indicate the OUI.

What is the NIC serial number of the source?

It might vary, the is 99:c5:72 in this case.

Part 2: usage Wireshark to Capture and Analyze Ethernet Frames

In component 2, girlfriend will use Wireshark to record local and remote Ethernet frames. You will then research the info that is had in the framework header fields.

Step 1: identify the IP resolve of the default gateway on her PC.

Open a windows command prompt.

Open a command prompt home window and concern the ipconfig command.

What is the IP attend to of the pc default gateway?

Answers will vary.

Close a windows command prompt.

Step 2: Start recording traffic ~ above your pc NIC.

Open Wireshark to begin data capture.Observe the web traffic that shows up in the packet list window.

Step 3: Filter Wireshark to screen only ICMP traffic.

You can use the filter in Wireshark to block visibility of unwanted traffic. The filter does no block the catch of undesirable data; it only filters what you want to screen on the screen. For now, only ICMP traffic is to it is in displayed.

In the Wireshark Filter box, type icmp. The box must turn environment-friendly if friend typed the filter correctly. If the box is green, click apply (the best arrow) to use the filter.

Step 4: indigenous the command prompt window, ping the default gateway of your PC.

Open a windows command prompt.

From the command window, ping the default gateway utilizing the IP resolve that you videotaped in step 1.

Close home windows command prompt.

Step 5: Stop recording traffic on the NIC.

Click the Stop capturing Packets icon to stop recording traffic.

Step 6: research the an initial Echo (ping) request in Wireshark.

The Wireshark main window is divided into three sections: the packet perform pane (top), the Packet Details pane (middle), and the Packet Bytes pane (bottom). If friend selected the correct interface for packet catching previously, Wireshark should display the ICMP info in the packet list pane of Wireshark.

In the packet list pane (top section), click the first frame listed. You have to see Echo (ping) request under the info heading. The line need to now be highlighted.Examine the an initial line in the packet details pane (middle section). This line screens the size of the frame.The 2nd line in the packet details pane shows that the is one Ethernet II frame. The source and destination MAC addresses are likewise displayed.Questions:

What is the MAC deal with of the computer NIC?

Your answers will vary.

What is the default gateway’s MAC address?

Your answers will certainly vary.

You have the right to click the higher than (>) authorize at the beginning of the second line come obtain more information around the Ethernet II frame.Question:

What type of structure is displayed?

0x0800 or an IPv4 framework type.

The last two lines presented in the center section carry out information about the data field of the frame. Notification that the data consists of the source and location IPv4 attend to information.Questions:

What is the source IP address?

Your answers will vary.

What is the destination IP address?

Your answers will vary.

You deserve to click any type of line in the center section to to mark that component of the frame (hex and also ASCII) in the Packet Bytes pane (bottom section). Click the Internet manage Message Protocol line in the center section and also examine what is emphasize in the Packet Bytes pane.Question:

What do the last two highlighted octets spell?

hi

Click the next frame in the peak section and examine one Echo answer frame. Notification that the resource and location MAC addresses have reversed, since this framework was sent from the default gateway router as a reply to the first ping.Question:

What device and MAC attend to is shown as the location address?

Your answers will certainly vary.

Step 7: catch packets because that a far host.

Click the Start capture icon to begin a brand-new Wireshark capture. Friend will obtain a popup window asking if you would like to conserve the previous caught packets come a file before beginning a new capture. Click continue without Saving.

Open a home windows command prompt.

In a command prompt window, ping www.cisco.com.

Close a home windows command prompt.

Stop recording packets.Examine the brand-new data in the packet list pane the Wireshark.Questions:

In the first echo (ping) request frame, what room the resource and destination MAC addresses?

Source:

/span>.

This need to be the MAC attend to of the PC.

Destination:

This have to be the MAC deal with of the Default Gateway.

What room the source and destination IP addresses had in the data ar of the frame?

Source:

This is tho the IP attend to of the PC.

Destination:

This is the address of the server at www.cisco.com.

Compare these addresses to the addresses you received in action 6. The only attend to that adjusted is the destination IP address. Why has the location IP deal with changed, if the location MAC resolve remained the same?

Layer 2 frames never leave the LAN. As soon as a ping is issued to a remote host, the resource will use the default gateway MAC resolve for the structure destination. The default gateway receives the packet, strips the layer 2 framework information from the packet and then creates a brand-new frame header v the MAC deal with of the next hop. This process continues indigenous router come router till the packet will its location IP address.

See more: How Many Chapters Are In Of Mice And Me N? Chapter Summaries

Reflection Question

Wireshark does not screen the preamble ar of a frame header. What does the preamble contain?

The preamble field contains seven octets of alternative 1010 sequences, and also one octet the signals the start of the frame, 10101011.