Lab - Using Wireshark to View Network Trafc Name: Parth R. Patel Topology Topology
b!ecti"es Part #: $ptional% &ownloa' an' (nstall Wireshark Part ): *apt+re an' ,nalye Local (*P &ata in Wireshark . /ackgro+n' 0 1cenario Wireshark is a so2tware protocol analyer3 or 4packet sni5er4 application3 +se' 2or network tro+bleshooting3 analysis3 so2tware an' protocol 'e"elopment3 an' e'+cation. ,s 'ata streams tra"el back an' 2orth o"er the network3 the sni5er 4capt+res4 each protocol 'ata +nit $P&U% an' can 'eco'e an' analye its content accor'ing to the appropriate R6* or other speci7cations. Wireshark is a +se2+l tool 2or anyone working with networks an' can be +se' with most labs in the **N, co+rses 2or 'ata analysis an' tro+bleshooting. This lab pro"i'es instr+ctions 2or 'ownloa'ing an' installing Wireshark3 altho+gh it © 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 1 of 17
Lab - Using Wireshark to View Network Traffic
may alrea'y be installe'. (n this lab3 yo+ will +se Wireshark to capt+re (*P 'ata packet (P a''resses an' 8thernet 2rame ,* a''resses. Re9+ire' Reso+rces •
# P* $Win'ows 3 Vista3 or ;P with (nternet access%
•
,''itional P*$s% on a local-area network $L,N% will be +se' to reply to ping re9+ests.
Part #:
$ptional% &ownloa' an' (nstall Wireshark
(n Part # o2 this lab3 yo+ will 'ownloa' an' install the Wireshark so2tware program on yo+r P*. Note: (2 Wireshark is alrea'y installe' on yo+r P*3 yo+ can skip Part # an' go 'irectly to Part ). (2 Wireshark is not installe' on yo+r P*3 check with yo+r instr+ctor abo+t yo+r aca'emy
Page 2 of 17
Lab - Using Wireshark to View Network Traffic
c. ,sk a team member 2or their P*
Page 3 of 17
Lab - Using Wireshark to View Network Traffic
Note: *licking the 7rst inter2ace icon in the row o2 icons also opens the (nter2ace List. c. n the Wireshark: *apt+re (nter2aces win'ow3 click the check bo= ne=t to the inter2ace connecte' to yo+r L,N.
Note: (2 m+ltiple inter2aces are liste' an' yo+ are +ns+re which inter2ace to check3 click the &etails b+tton3 an' then click the >?).@ $8thernet% tab. Veri2y that the ,* a''ress matches what yo+ note' in 1tep #b. *lose the
Page 4 of 17
Lab - Using Wireshark to View Network Traffic
(nter2ace &etails win'ow a2ter "eri2ying the correct inter2ace.
'. ,2ter yo+ ha"e checke' the correct inter2ace3 click 1tart to start the 'ata capt+re. (n2ormation will start scrolling 'own the top section in Wire shark. The 'ata lines will appear in 'i5erent colors base' on protocol. e. This in2ormation can scroll by "ery 9+ickly 'epen'ing on what comm+nication is taking place between yo+r P* an' the L,N. We can apply a 7lter to make it easier to "iew an' work with the 'ata that is being capt+re'
Page 5 of 17
Lab - Using Wireshark to View Network Traffic
by Wire shark. 6or this lab3 we are only intereste' in 'isplaying (*P $ping% P&Us. Type icmp in the 6ilter bo= at the top o2 Wire shark an' press 8nter or click on the ,pply b+tton to "iew only (*P $ping% P&Us.
Page 6 of 17
Lab - Using Wireshark to View Network Traffic
2. This 7lter ca+ses all 'ata in the top win'ow to 'isappear3 b+t yo+ are still capt+ring the trafc on the inter2ace. /ring +p the comman' prompt win'ow that yo+ opene' earlier an' ping the (P a''ress that yo+ recei"e' 2rom yo+r team member. Notice that yo+ start seeing 'ata appear in the top win'ow o2 Wireshark again.
Note: (2 yo+r team member
Page 7 of 17
Lab - Using Wireshark to View Network Traffic
Page 8 of 17
Lab - Using Wireshark to View Network Traffic
1tep @: 8=amine the capt+re' 'ata. (n 1tep @3 e=amine the 'ata that was generate' by the ping re9+ests o2 yo+r team member
Top
1ection
Page of 17
Lab - Using Wireshark to View Network Traffic
i''le 1ection
/ottom 1ection
a. *lick the 7rst (*P re9+est P&U 2rames in the top section o2 Wireshark. Notice that the 1o+rce col+mn has yo+r P*
b. With this P&U 2rame still selecte' in the top section3 na"igate to the mi''le section. *lick the pl+s sign to the le2t o2 the 8thernet (( row to "iew the &estination an' 1o+rce ,* a''resses.
Page 1! of 17
Lab - Using Wireshark to View Network Traffic
&oes the 1o+rce ,* a''ress match yo+r P*
Note: (n the prece'ing e=ample o2 a capt+re' (*P re9+est3 (*P 'ata is encaps+late' insi'e an (P"C packet P&U $(P"C hea'er% which is then encaps+late' in an 8thernet (( 2rame P&U $8thernet (( hea'er% 2or transmission on the L,N. Part ):
*apt+re an' ,nalye Remote (*P &ata in Wireshark
(n Part @3 yo+ will ping remote hosts $hosts not on the L,N% an' e=amine the generate' 'ata 2rom those pings. Do+ will then 'etermine what is 'i5erent abo+t this 'ata 2rom the 'ata e=amine' in Part ).
Page 11 of 17
Lab - Using Wireshark to View Network Traffic
1tep #: 1tart capt+ring 'ata on inter2ace. a. *lick the (nter2ace List icon to bring +p the list P* inter2aces again.
Page 12 of 17
Lab - Using Wireshark to View Network Traffic
b. ake s+re the check bo= ne=t to the L,N inter2ace is checke'3 an' then click 1tart. c. , win'ow prompts to sa"e the pre"io+sly capt+re' 'ata be2ore starting another capt+re. (t is not necessary to sa"e this 'ata. *lick *ontin+e witho+t 1a"ing.
'. With the capt+re acti"e3 ping the 2ollowing three website URLs: #% www.yahoo.com )% www.cisco.com @% www.google.com
Page 13 of 17
Lab - Using Wireshark to View Network Traffic
Note: When yo+ ping the URLs liste'3 notice that the &omain Name 1er"er $&N1% translates the URL to an (P a''ress. Note the (P a''ress recei"e' 2or each URL. e. Do+ can stop capt+ring 'ata by clicking the 1top *apt+re icon. 1tep ): 8=amining an' analying the 'ata 2rom the remote hosts. a. Re"iew the capt+re' 'ata in Wire sharkE e=amine the (P an' ,* a''resses o2 the three locations that yo+ pinge'. List the 'estination (P an' ,* a''resses 2or all three locations in the space pro"i'e'. #st Location:
(P: FFFFF.FFFFF.FFFFF.FFFFF ,*: FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
)n' Location:
(P: FFFFF.FFFFF.FFFFF.FFFFF ,*: FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
@r' Location:
(P: FFFFF.FFFFF.FFFFF.FFFFF ,*: FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
b. What is signi7cant abo+t this in2ormationA FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFF c. Bow 'oes this in2ormation 'i5er 2rom the local ping in2ormation yo+ recei"e' in Part )A FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFF ReGection Why 'oes Wire shark show the act+al ,* a''ress o2 the local hosts3 b+t not the act+al ,* a''ress 2or the remote hostsA FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFF
Page 14 of 17
Lab - Using Wireshark to View Network Traffic
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFF ,ppen'i= ,: ,llowing (*P Trafc Thro+gh a 6irewall (2 the members o2 yo+r team are +nable to ping yo+r P*3 the 7rewall may be blocking those re9+ests. This appen'i= 'escribes how to create a r+le in the 7rewall to allow ping re9+ests. (t also 'escribes how to 'isable the new (*P r+le a2ter yo+ ha"e complete' the lab. 1tep #: *reate a new inbo+n' r+le allowing (*P trafc thro+gh the 7rewall. '. 6rom the *ontrol Panel3 click the 1ystem an' 1ec+rity option.
e. 6rom the 1ystem an' 1ec+rity win'ow3 click Win'ows 6irewall.
Page 15 of 17
Lab - Using Wireshark to View Network Traffic
2. (n the le2t pane o2 the Win'ows 6irewall win'ow3 click ,'"ance' settings.
g. n the ,'"ance' 1ec+rity win'ow3 choose the (nbo+n' R+les option on the le2t si'ebar an' then click New R+leH on the right si'ebar. h. This la+nches the New (nbo+n' R+le wiar'. n the R+le Type screen3 click the *+stom ra'io b+tton an' click Ne=t. i. (n the le2t pane3 click the Protocol an' Ports option an' +sing the Protocol type 'rop-'own men+3 select (*P"C3 an' then click Ne=t. !. (n the le2t pane3 click the Name option an' in the Name 7el'3 type ,llow (*P Re9+ests. *lick 6inish. This new r+le sho+l' allow yo+r team members to recei"e ping replies 2rom yo+r P*. 1tep @: &isabling or 'eleting the new (*P r+le. ,2ter the lab is complete3 yo+ may want to 'isable or e"en 'elete the new r+le yo+ create' in 1tep #. Using the &isable R+le option allows yo+ to enable the r+le again at a later 'ate. &eleting the r+le permanently 'eletes it 2rom the list o2 (nbo+n' R+les. a. n the ,'"ance' 1ec+rity win'ow3 in the le2t pane3 click (nbo+n' R+les an' then locate the r+le yo+ create' in 1tep #.
Page 16 of 17
Lab - Using Wireshark to View Network Traffic
b. To 'isable the r+le3 click the &isable R+le option. When yo+ choose this option3 yo+ will see this option change to 8nable R+le. Do+ can toggle back an' 2orth between &isable R+le an' 8nable R+leE the stat+s o2 the r+le also shows in the 8nable' col+mn o2 the (nbo+n' R+les list. c. To permanently 'elete the (*P r+le3 click &elete. (2 yo+ choose this option3 yo+ m+st re-create the r+le again to allow (*P replies.
Page 17 of 17