3.3.3.4 Lab - Using Wireshark to View Network Traffic

L Lab - Us sing Wireshark to t View Network k Traffic cT Topology O Objectives Part 1: (O Optional) Dow wnload and Install I Wireshark Part 2: Ca apture and Analyze A Loca al ICMP Data in Wireshar rk   Start and stop data a capture of ping p traffic to local hosts. Locat te the IP and MAC address s information in captured P PDUs. Part 3: Ca apture and Analyze A Remote ICMP Da ata in Wiresh hark    Start and stop data a capture of ping p traffic to remote r hosts . Locat te the IP and MAC address s information in captured P PDUs. Expla ain why MAC addresses for remote host ts are differen nt than the MA AC addresses s of local hos sts. B Backgroun nd / Scenar rio Wireshark k is a software e protocol ana alyzer, or "pa acket sniffer" a application, used for netwo ork troublesho ooting, analysis, software s and protocol deve elopment, and education. A ams travel back and forth o over the As data strea network, the t sniffer "ca aptures" each protocol data a unit (PDU) a and can deco ode and analy yze its conten nt according g to the appropriate RFC or other specif fications. Wireshark k is a useful to ool for anyone e working with networks a nd can be used with most labs in the CCNA ading and ins courses fo or data analys sis and troubl leshooting. Th his lab provid des instruction ns for downloa stalling Wireshark k, although it may already be installed. In I this lab, yo ou will use Wir reshark to capture ICMP d data packet IP addresses and Ethernet fr rame MAC ad ddresses. © 2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic. P Page 1 of 20 L Lab - Using Wireshark W to View Netwo ork Traffic R Required Resources R   1 PC (Windows 7, Vista, or XP with w Internet access) a Additional PC(s) on n a local-area a network (LA AN) will be use ed to reply to ping request ts. P Part 1: (Optional ( l) Downlo oad and Install Wireshark Wireshark k has become e the industry standard pac cket-sniffer pr rogram used by network engineers. Thi is open source so oftware is available for man ny different op perating syste ems, including g Windows, M Mac, and Linu ux. In Part 1 of this la ab, you will do ownload and install the Wireshark softw ware program on your PC. Note: If Wireshark W is already installe ed on your PC C, you can sk kip Part 1 and d go directly to o Part 2. If Wi ireshark is not installed on your PC, check with w your instru uctor about yo our academy’s software do ownload polic cy. S Step 1: Do ownload Wir reshark. a. Wires shark can be downloaded d from f www.wir reshark.org. b. Click Download Wireshark W . c. are version yo ou need based d on your PC C’s architectur re and operati ing system. F For Choose the softwa nce, if you hav ve a 64-bit PC C running Win ndows, choos se Windows Installer (64-bit). instan © 2013 Cisco and d/or its affiliates. All rights reserve ed. This docume ent is Cisco Publiic. P Page 2 of 20 Double-click the file e to start the installation pr rocess. S Step 2: Ins stall Wireshark. Click Next. All rights reserve ed. W or after a you hav ve completed the uninstall process.x. Respo ond to any se ecurity messa ages that may y display on yo our screen. P Page 3 of 20 . For Windows s users. b. It is re ecommended that you rem move the old version v of Wir reshark prior t to installing another versio on. This docume ent is Cisco Publiic. where x re epresents the e version num mber.Using Wireshark W to View Netwo ork Traffic After making a sele ection. the do ownload should start. © 2013 Cisco and d/or its affiliates. Click Yes to o uninstall the e previous version of Wires shark. you will navigate to the Wir reshark Setup p wizard. If this is the first tim me to install Wireshark. the default location n is the Down nloads brows folder r. a. If f you already have a copy of Wires shark on your PC. The downloaded d file is named Wireshark-wi W in64-x. you will be prompted to uninstall th he old version n before insta alling the new version. c.x.ex xe.L Lab . The llocation of the e downloaded d file depends s on the ser and opera ating system that t you use. L Lab . All rights reserve ed. p Click k I Agree whe en the Licens se Agreement t window displa ays. Keep the default se ettings on the e Choose Com mponents win ndow and clic ck Next. © 2013 Cisco and d/or its affiliates. e. Contin nue advancin ng through the e installation process. P Page 4 of 20 . This docume ent is Cisco Publiic.Using Wireshark W to View Netwo ork Traffic d. This docume ent is Cisco Publiic. g.L Lab . Choose your desired shortcut options and cli ick Next. W but t unless you have limited d disk space. All rights reserve ed.Using Wireshark W to View Netwo ork Traffic f. it is recom mmended that t you keep the e default loca ation. © 2013 Cisco and d/or its affiliates. You can c change th he installation location of Wireshark. P Page 5 of 20 . P the Install check box will w be unchec cked.Using Wireshark W to View Netwo ork Traffic h.x (version number) n chec ck box.x x. All rights reserve ed. WinPcap W must be installed o on your PC. it is recom mmend that y you allow the newer versio on to be instal lled by clickin ng the Install WinPcap x. If WinPcap is already insta alled on your PC. j. Wires shark starts in nstalling its file es and a sepa arate window displays with h the status of f the installati ion. i. To ca apture live net twork data. This docume ent is Cisco Publiic. © 2013 Cisco and d/or its affiliates.L Lab . If your in ap is older tha an the nstalled versiion of WinPca versio on that comes s with Wiresha ark. Finish h the WinPcap p Setup Wiza ard if installing g WinPcap. Click Next when the inst tallation is complete. P Page 6 of 20 . © 2013 Cisco and d/or its affiliates. you will ne eed to retrieve e your PC’s IP P address and d (NIC) physi ical address. This an nalysis should d help to clarify how w packet head ders are used d to transport data to their destination. Click Finish to com mplete the Wireshark insta all process. All rights reserve ed. you will ping another PC on the t LAN and capture ICMP P requests an nd replies in Wireshark k.L Lab . P Part 2: Capture C and a Analy yze Local ICMP Da ata in Wir reshark In Part 2 of o this lab. d its network interface card For this la ab. This docume ent is Cisco Publiic. You will als so look inside the frames captured for sp pecific inform mation. P Page 7 of 20 . S Step 1: Re etrieve your PC’s interf face addresses. also a called the MAC addre ess.Using Wireshark W to View Netwo ork Traffic k. © 2013 Cisco and d/or its affiliates. Note: Clicking the first interface e icon in the ro ow of icons allso opens the e Interface Lis st.L Lab . P Page 8 of 20 . click Inte erface List.Using Wireshark W to View Netwo ork Traffic a. Do not provide them with your MA AC address at t this time. Note your c. type e ipconfig /all. and then pr ress Enter. Double-click k Wireshark. S Step 2: Sta art Wireshark and begi in capturing g data. y PC inter rface’s IP add dress and MA AC (physical) a address. click the t Windows Start button to see Wiresh hark listed as s one of the pr rograms on th he pop-up menu. On yo our PC. All rights reserve ed. a. This docume ent is Cisco Publiic. b. Open a command window. After Wireshark W sta arts. b. Ask a team membe er for their PC C’s IP address s and provide e your PC’s IP P address to t them. terfaces are listed and you u are unsure w which interfac ce to check. Close the e Interface De etails window after verifying g the correct iinterface. All rights reserve ed.3 (Ethernet) ta ab. This docume ent is Cisco Publiic. c click the Deta ails Note: If multiple int n. click Start to o start the data capture. and then click the 802. d. y have che ecked the corr rect interface.L Lab . P Page 9 of 20 . Verify tha at the MAC ad ddress matche es what you n noted in button Step 1b.Using Wireshark W to View Netwo ork Traffic c. click the ch heck box nex xt to the interfa ace connecte ed to your LAN. On the Wireshark: Capture Interfaces window w. After you © 2013 Cisco and d/or its affiliates. e. © 2013 Cisco and d/or its affiliates. Type e icmp in the Filter box at the e top of Wires shark and pre ess Enter or c click on the Ap pply button to o view only IC CMP (ping) ) PDUs.Using Wireshark W to View Netwo ork Traffic Inform mation will sta art scrolling do own the top section in Wire eshark. This docume ent is Cisco Publiic. we are only o interested d in displayin ng ICMP (ping g) PDUs.L Lab . The d data lines will appear in diff fferent colors s based on pr rotocol. Pa age 10 of 20 . All rights reserve ed. This information ca an scroll by ve ery quickly de epending on w what commun nication is tak king place bet tween your PC P and the LA AN. For this lab. We can apply a a filter to t make it eas sier to view an nd work with the data that is being captured by Wiresh hark. Notice tha at you start se eeing data appear in the to op window of Wires shark again. All rights reserve ed. this may y be because their PC firew wall is blocki ing these requests. Please e see Append dix A: Allowing g ICMP Traffic Through a F Firewall for in nformation ndows 7.Using Wireshark W to View Netwo ork Traffic f. This docume ent is Cisco Publiic.L Lab . © 2013 Cisco and d/or its affiliates. Note: If your team member’s PC C does not re eply to your pi ngs. but you are s still capturing the traffic on the interfa ace. Pa age 11 of 20 . Bring up the command prompt window that you opened earliier and ping th he IP address s that you receiv ved from your r team membe er. This filter f causes all a data in the top window to o disappear. on ho ow to allow ICMP traffic thro ough the firew wall using Win g. Stop capturing c data by clicking the t Stop Cap pture icon. and 3) the b bottom section displays the raw w data of eac ch layer. examine the e data that wa as generated by b the ping re equests of you ur team mem mber’s PC. All rights reserve ed. has your PC’s IP address. This docume ent is Cisco Publiic. Wireshark data is dis splayed in three sections: 1) 1 The top se ection displays s the list of PD DU frames ca aptured with a summary of the IP pac cket informatio on listed. P request PDU U frames in th he top section n of Wireshar rk.L Lab . In Step 3. Notice that t the Source c column a. Pa age 12 of 20 . . 2) th he middle sec ction lists PDU U information n for the frame e selected in the top part of the sc creen and sep parates a cap ptured PDU fra ame by its pr rotocol layers. The raw data is d isplayed in bo oth hexadecim mal and decim mal form. Click the first ICMP a and the t Destinatio on contains th he IP address s of the teamm mate’s PC you pinged.Using Wireshark W to View Netwo ork Traffic S Step 3: Examine the captured c da ata. © 2013 Cisco and d/or its affiliates. Does the Source MAC M address match your PC’s P interface e? Does the Destination MAC addr ress in Wiresh hark match th he MAC addre ess that of yo our team mem mber’s? How is the MAC ad ddress of the pinged PC obtained by yo our PC? Note: In the preced ding example e of a captured d ICMP reque est. a. P Part 3: Capture C and a Analy yze Remo ote ICMP Data in W Wireshark k In Part 3. With this t PDU fram me still selecte ed in the top section. © 2013 Cisco and d/or its affiliates. You will then determine what t is different about a this data a from the data examined in Part 2. ICMP dat ta is encapsu ulated inside a an IPv4 packe et PDU (IPv4 header) whic ch is then enc capsulated in a an Ethernet II frame PDU (Ethernet II h header) for tra ansmission on n the LAN. S Step 1: Sta art capturing data on in nterface. Pa age 13 of 20 . you will ping remote hosts s (hosts not on the LAN) an nd examine th he generated d data from those pings. Click the Interface e List icon to bring up the list PC interfa aces again.L Lab . s navig gate to the miiddle section. This docume ent is Cisco Publiic. Click the plus sign to the left of the Ethernet II row to view the Des stination and S Source MAC addresses.Using Wireshark W to View Netwo ork Traffic b. All rights reserve ed. Using Wireshark W to View Netwo ork Traffic b. Clic ck Continue without Sav ving.L Lab . It is not neces ssary to save this data. Make sure the che eck box next to o the LAN int terface is chec cked. This docume ent is Cisco Publiic. All rights reserve ed. and the en click Start. c. © 2013 Cisco and d/or its affiliates. A window prompts to save the previously p cap ptured data b before starting g another cap pture. Pa age 14 of 20 . All rights reserve ed.com w m 3) www. ping the e following three website U URLs: 1) www. List the destination IP and MAC addresses fo or all three loc cations in the space provid ded. Not te the IP addr ress received for each URL L.L Lab . a. With the t capture active.Using Wireshark W to View Netwo ork Traffic d. 1st Location: 2 Lo ocation: 3 Lo ocation: rd nd IP: IP: IP: MAC: MAC: MAC: © 2013 Cisco and d/or its affiliates. e. notice e that the Dom main Name Se erver (DNS) t translates the e URL to an IP address. Revie ew the capture ed data in Wireshark.yahoo. You can c stop captu uring data by clicking the Stop S Capture e icon. This docume ent is Cisco Publiic. S Step 2: Examining and analyzing g the data fr rom the rem mote hosts.google.co w om Note: When you ping the URLs listed.co w om 2) www. exam mine the IP an nd MAC addr resses of the three location ns that you pinged.cisco. Pa age 15 of 20 . Pa age 16 of 20 . the f firewall may b be blocking th hose requests s. This docume ent is Cisco Publiic. P click the System an nd Security o option. a. What is significant about this inf formation? c. b.Using Wireshark W to View Netwo ork Traffic b. It also des scribes how to disable the new IC CMP rule afte er you have co ompleted the lab. a Security window. w click Windows Fi irewall. S Step 1: Cre eate a new inbound rule allowing ICMP traffi c through t the firewall. All rights reserve ed. From the System and © 2013 Cisco and d/or its affiliates. How does d this information differ r from the loca al ping inform mation you rec ceived in Part t 2? R Reflection Why does s Wireshark show the actual MAC addre ess of the loc cal hosts. but not the actua al MAC addres ss for the remote ho osts? A Appendix A: A Allowing g ICMP Tra affic Throu ugh a Firew wall If the mem mbers of your r team are una able to ping your y PC.L Lab . From the Control Panel. This appendix describes ho ow to create a rule in the fir rewall to allow w ping reques sts. Pa age 17 of 20 .Using Wireshark W to View Netwo ork Traffic c. d. choose the Inbound R Rules option on the left sid debar and the en click New Rule… R on the e right sideba ar. click Adv vanced settings. © 2013 Cisco and d/or its affiliates. In the e left pane of the t Windows Firewall wind dow.L Lab . All rights reserve ed. On the Advanced Security S window. This docume ent is Cisco Publiic. and then click Next. © 2013 Cisco and d/or its affiliates. This docume ent is Cisco Publiic. click the Protoc col and Ports s option and u using the Pro otocol type dro op-down men nu. Pa age 18 of 20 . This launches the New Inbound d Rule wizard.Using Wireshark W to View Netwo ork Traffic e. In the e left pane. select ICMP Pv4. All rights reserve ed. click the Cu ustom radio b button c Next and click f. On the Rule e Type screen n.L Lab . type Allo ow ICMP Req quests. This docume ent is Cisco Publiic. a. All rights reserve ed. After the lab is complet te. you may want w to disable or even dellete the new r rule you creat ted in Step 1. This new n rule shou uld allow your r team membe ers to receive e ping replies from your PC C. click the Name option and in n the Name fie eld. Using the Disab ble Rule optio on allows you to enable the e rule again a at a later date.L Lab . In the e left pane. . Deleting the e rule permanently deletes it from the list of o Inbound Ru ules.Using Wireshark W to View Netwo ork Traffic g. in the left t pane. On the Advanced Security S window. © 2013 Cisco and d/or its affiliates. S Step 2: Dis sabling or deleting d the new ICMP rule. Pa age 19 of 20 . Click Finish. click I Inbound Rule es and then locate the rule e you create ed in Step 1. the status s of the rule also a shows in the Enabled column of the e Inbound Rules list.L Lab . To dis sable the rule e. To pe ermanently de elete the ICMP P rule. Pa age 20 of 20 . When y you choose th his option. You ca an toggle back k and forth be etween Disab ble Rule and E Enable Rule. All rights reserve ed. click Delete D . c. click the Dis sable Rule op ption. you will see this s option chang ge to Enable Rule. © 2013 Cisco and d/or its affiliates. If you choose this o option. This docume ent is Cisco Publiic. you must re-create the rule again to allow ICMP replies.Using Wireshark W to View Netwo ork Traffic b.