Part 1: Examine the Header Fields in an Ethernet Frame
For this exercise we will use a windows device with wireshark installed on it. We will be looking at ARP and ICMP packets. Thus, we will need to apply a filter. This is done using the phrase “arp or icmp” in the filter box. After this, we can simulate an ARP scan by pinging an IP that has not been assigned in the network, in my case, I used 192.168.0.10 since I am aware of the IPs being used in my network. To capture ICMP packets, send out a ping to a known and assigned IP address in the network. Stop capturing once you have seen both types of packets captured.
The Ethernet II Frame consists of the following data on the wireshark capture: Destination address (broadcast ff:ff:ff:ff:ff:ff) and the source address(cc:35:40:da:e3:13). In this address, the first 6 hex values indicate the Manufacturer OUI and the last 6 hex values are the serial number for the card. In the case of the broadcast address, the 7th and 8th bit are 1s which make the address locally administered and multicast. A locally administered address is important since we do not know the MAC address and are therefore sending out an ARP request.
MAC Address for the source: cc:35:40:da:e3:13
Vendor Name: Technicolor CH USA Inc (First 6 hex digits — cc:35:40)
NIC Serial number: da:e3:13
These values will be different on your end.
Part 2: Use Wireshark to Capture and Analyze Ethernet Frames
In this part of the exercise, we will be sending ethernet frames locally and to a remote host. We will then examine the packets. We need to find out what our networks gateway is and this can be done by opening the command prompt and issuing the command ‘ipconfig’ on windows hosts. You will find the default gateway under the network card that you are currently using to connect to the network.
Now that we have seen what our host’s IP and the network gateway is, we can go to wireshark and start capturing packets in the network. Let the capture run for a few minutes and then apply the ‘icmp’ filter. If you don’t have any results under this filter, don’t worry, we just need to send out pings to various addresses. Let’s start with a ping to the default gateway.
If the filter on wireshark was applied correctly, there should be 8 new entries in the packet list. Click on the first one that says ‘Echo (ping) request’. In the packet details pane, we can see that the first row shows us the length of the frame which is 74 bytes. The second line in the packet details pane tells us that it is an ethernet II frame and proceeds to give us the source and destination MAC addresses. The source MAC address is b4:b5:b6:f0:e1:a5 and the destination MAC address is cc:35:40:da:e3:1. It is important to take a note of the gateway’s MAC address since we will be referring to it again in the exercise. The dropdown of the second line will also tell us what type of frame we are looking at. In our case, it is an IPV4 (0x800) frame which is used to by the OS to understand the type of frame being dealt with.
The 3rd line in the packet details pane will tell us the source and destination IP addresses. These IP addresses will correspond to what we found out by issuing the ‘ipconfig’ command. The source IP should by our windows host IP and the destination IP should be that of the default gateway since we sent the ping to it. Upon further inspection, we see that this is accurate, the source IP is 192.168.0.13 and destination IP is 192.168.0.2.
The last line in the packet details section, is the data contained within the frame. Click on this and see what gets highlighted in the lowest pane on the window. It will highlight a section of hex octets which correspond to the data help within. This data seems to be in plain text. Right click on the hex values and select Copy Bytes ad Hex + ASCII dump. We can paste these in a document and figure out what the last two octets contain. Each byte in the capture is an IP octet.
In the second packet captured in the list, which is a reply from the gateway, we can see that the source and destination MACs as well as Ips have changed. The destination MAC address is that of your windows Host and it mentions the NIC manufacturer too.
For the last part of this exercise, we will be pinging a remote host. Stop capturing the and don’t save the current capture and then restart capturing network data on wireshark. After this apply the icmp filter and go to your device’s command prompt and ping www.cisco.com. Let us review the results of this ping. The source MAC address is that of my windows host, but the destination MAC is not of cisco.com, but that of my default gateway. This is why we needed to take note of our gateway’s MAC address. The source IP is that of our windows host 192.168.0.13 and the destination IP is that of cisco.com, 2.22.15.111. The MAC address does not change because the destination IP is not in the local area network of our windows host. Therefore, the host knows that this frame needs to leave the network through the default gateway and thus uses the default gateway’s MAC. MAC addresses are not used outside the Local Area Network.
