7.1.6 Lab – Use Wireshark to Examine Ethernet Frames

-


 Objectives

Part 1: Analyze the Ethernet II Frame's Header Fields

Part 2: Capturing and Analyzing Ethernet Frames Using Wireshark


Context / Scenario


When protocols at the upper layers communicate, data flows down the Open Systems Interconnection (OSI) layers and is encapsulated in a Layer 2 frame. The frame composition is determined by the mode of media access. For instance, if the upper layer protocols are TCP and IP and the media access layer protocol is Ethernet, the Layer 2 frame encapsulation will be Ethernet II. This is standard behaviour in a LAN environment. It is beneficial to analyse frame header information when learning about Layer 2 concepts. You will review the fields contained in an Ethernet II frame in the first section of this lab. In Part 2, you'll capture and analyse Ethernet II frame header fields for local and remote traffic using Wireshark. Note from the instructor: This lab assumes the student is using a personal computer with internet access. Additionally, it is pre-installed on the PC with Wireshark. Wireshark v2.4.3 for Windows 10 was used to create the screenshots in this lab (64bit).


Ressources Required


1 personal computer (Windows with internet access and with Wireshark installed)


Instructions


Part 1: Analyze the Ethernet II Frame's Header Fields


In Part 1, you will explore the Ethernet II frame's header fields and content. The contents of those fields will be examined using a Wireshark capture.

Review the Ethernet II header field definitions and lengths in step one.


Step 2: Inspect the PC's network setup.

In this example, the host IP address of the PC is 192.168.1.147, whereas the default gateway is 192.168.1.1.

C:\> ipconfig /all

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection
   Physical Address. . . . . . . . . : F0-1F-AF-50-FD-C8
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::58c5:45f2:7e5e:29c2%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.147(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Friday, September 6, 2019 11:08:36 AM
   Lease Expires . . . . . . . . . . : Saturday, September 7, 2019 11:08:36 AM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
<output omitted>
Step 3: Examine Ethernet frames captured using Wireshark.
The pictures below illustrate the packets produced by a ping sent from a PC host to its default gateway using Wireshark. Wireshark has been filtered to display just the ARP and ICMP protocols. Address resolution protocol is abbreviated as ARP. ARP is a mechanism for identifying the MAC address associated with an IP address. The session starts with an ARP query and response for the gateway router's MAC address, followed by four ping queries and responses.

This image illustrates the ARP request's frame specifics.

This screenshot highlights the frame details for an ARP reply.
Step 4: Examine the Ethernet II header contents of an ARP request.
The following table takes the first frame in the Wireshark capture and presents the data in the Ethernet II header fields.

What is the significance of the destination address field's contents?
This broadcast frame will be received by all hosts on the LAN. The source will get a unicast reply from the host with the IP address 192.168.1.1 (default gateway) (PC host). This response gives the MAC address of the default gateway's NIC.

Why does the PC broadcast an ARP request before to initiating the initial ping request?
The PC cannot make a ping request to a host until the target MAC address is determined and the frame header for the ping request is constructed. The ARP broadcast is used to get the MAC address of the host associated with the ARP's IP address.

What is the source's MAC address in the first frame?
It changes depending on the context; in this example, it is f0:1f:af:50:fd:c8.

In the ARP response, what is the Vendor ID (OUI) of the Source NIC?
It varies according on the situation; in this instance, it is Netgear.

How much of the MAC address is devoted to the OUI?
The OUI is indicated by the first three octets of the MAC address.

What is the source's NIC serial number?
It varies; in this example, it is 99:c5:72.

Part 2: Capturing and Analyzing Ethernet Frames Using Wireshark
Wireshark will be used in Part 2 to collect local and distant Ethernet traffic. After that, you'll examine the data contained in the frame header fields.

Step 1: Determine the IP address of your computer's default gateway.
Issue the ipconfig command from a command prompt window.

What is the IP address of the default gateway on your computer?
The responses will vary.

Step 2: Begin recording traffic on your PC's network interface card (NIC).
a. Launch Wireshark to begin data collection.

b. Keep an eye on the traffic shown in the packet list window.

Filter Wireshark to show just ICMP traffic in Step 3.
You may use Wireshark's filter to hide undesirable traffic. The filter does not prevent unnecessary data from being captured; it just filters what you wish to show on the screen. For the time being, only ICMP traffic will be visible.

Type icmp in the Wireshark Filter box. If you input the filter properly, the box should become green. To apply the filter, if the box is green, click Apply (the right arrow).

Ping the default gateway of your computer from the command prompt window.
Ping the default gateway from the command window using the IP address that you recorded in Step 1.

Step 5: Disable traffic capture on the NIC.
Click the Cease Recording Packets icon to stop capturing traffic.

Step 6: In Wireshark, examine the first Echo (ping) request.
Wireshark's main window is organised into three sections: a packet list pane at the top, a packet details pane in the centre, and a packet bytes pane at the bottom (bottom). If you previously selected the right interface for packet capture, Wireshark should show the ICMP information in the Wireshark packet list window.

a. In the top section's packet list window, click the first frame shown. Under the Info section, you should notice an Echo (ping) request. The line should be highlighted at this point.

b. In the packet details window, examine the first line (middle section). This line indicates the frame's length.

c. The packet information pane's second line indicates that this is an Ethernet II frame. Additionally, the MAC addresses of the source and destination are revealed.

What is the MAC address of the PC's network interface card?
Your responses will be unique.

What is the MAC address of the default gateway?
Your responses will be unique.

d. You may acquire further information about the Ethernet II frame by clicking the larger than (>) symbol at the beginning of the second line.

Which frame style is displayed?
IPv4 frame type 0x0800 or 0x0800.

e. The last two lines in the centre part include information about the frame's data field. Take note that the data comprises information about the source and destination IPv4 addresses.

What is the IP address of the origin?
Your responses will be unique.

What is the IP address of the destination?
Your responses will be unique.

f. You may click any line in the centre area to highlight it in the Packet Bytes window (hex and ASCII) (bottom section). Examine what is highlighted in the Packet Bytes window by clicking the Internet Control Message Protocol line in the centre area.

What are the last two highlighted octets?
hi

b. In the top part, click the next frame and study an Echo reply frame. Take note of the reversal of the source and destination MAC addresses, since this frame was transmitted from the default gateway router in response to the initial ping.

As the destination address, what device and MAC address is displayed?
Your responses will be unique.

Capture packets for a distant host in step 7.
a. To begin a new Wireshark capture, click the Start Capture icon. Before beginning a fresh capture, a popup window will ask whether you want to save the previously recorded packets to a file. Without saving, click Continue.

a. Type ping www.cisco.com in a command prompt window.

b. Discontinue packet capture.

d. Examine the new data in Wireshark's packet list window.

What are the source and destination MAC addresses in the first echo (ping) request frame?

Source:

This should be the computer's MAC address.

Destination:

This should be the Default Gateway's MAC address.

Which IP addresses are present in the frame's data field?

Source:

This is still the PC's IP address.

Destination:

This is the server's address at www.cisco.com.

Contrast these addresses with the ones you obtained in Step 6. The destination IP address is the only address that has changed. Why is it that the destination IP address has changed yet the destination MAC address has not?

Layer 2 frames are never sent beyond the LAN. When a ping is sent to a remote host, the source sends the frame to the default gateway's MAC address. The default gateway receives the packet, removes the Layer 2 frame information, and then produces a new frame header with the next hop's MAC address. This procedure is repeated across routers until the packet reaches its final IP address.

Question of Reflection
Wireshark does not show the frame header's preamble field. What is included in the preamble?

The preamble field comprises seven octets of alternate 1010 sequences, and one octet that announces the beginning of the frame, 10101011.

Location: Calgary, AB, Canada

Comments

Post a Comment

Popular posts from this blog

🌍 Unlock Your Research Potential with the AfOx Visiting Fellowship at Oxford University!

-
Image
 🌍 Unlock Your Research Potential with the AfOx Visiting Fellowship at Oxford University! 📅 Application Deadline: 6th June 2025 Calling Exceptional African Researchers! The Africa Oxford Initiative (AfOx) Visiting Fellowship Program 2025/2026 is now accepting applications! This prestigious opportunity allows brilliant African scholars to collaborate with Oxford’s world-leading academics, expand their global networks, and advance groundbreaking research. Why Apply? 🔹 12-Month Affiliation with Oxford University – Gain access to world-class resources, mentorship, and a vibrant academic community. 🔹 Hybrid Engagement – 10 months of virtual collaboration (with remote access to Oxford’s libraries and research tools) + 2 months in-person at Oxford (May-June 2026). 🔹 Exclusive Benefits – Includes accommodation, economy flights, visa support, a £250/week stipend, and membership to an Oxford college. 🔹 Strengthen Your Leadership – Enhance your research impact while building lasting int...
Read more

**MIT Africa Empowering the Teachers Fellowship 2026 – Fully Funded Opportunity for Engineering Professors**

-
Image
  ### **MIT Africa Empowering the Teachers Fellowship 2026 – Fully Funded Opportunity for Engineering Professors**   **Application Deadline:** May 20, 2025 (11:59 PM EDT)   The **Massachusetts Institute of Technology (MIT)** is now accepting applications for the **2026 Empowering the Teachers (MIT-ETT) Fellowship Programme**, a transformative opportunity for engineering professors from African universities. This fully funded fellowship, hosted by the **MIT Center for International Studies (CIS)**, is made possible through the generous support of the **Nigerian National Petroleum Company Limited (NNPC), TotalEnergies Upstream Nigeria Limited (TUPNI), and Partners**.   #### **About the MIT-ETT Fellowship**   This **semester-long** program is designed to equip African engineering educators with **MIT’s innovative, student-centred teaching methodologies**. Selected fellows will engage in an immersive experience aimed at **revolutionizing science ...
Read more

Launch Your Career with Chevron: 2025 Internship Program Now Open for Nigerian Students

-
Image
  🚀 Ready to step into the future of energy and innovation? The 2025 Chevron Nigeria Internship Program is your gateway to gaining real-world experience, building your career, and working with one of the world’s leading energy companies. 🗓️ Application Deadline: June 5, 2025 Why Chevron? Why Now? Chevron Nigeria Limited (CNL), a powerhouse in the energy sector and a trusted partner of the Nigerian National Petroleum Company Limited, is offering a rare opportunity for Nigerian students to gain professional experience through its acclaimed Internship Program. At Chevron, values like integrity, diversity, innovation, and excellence aren’t just buzzwords—they’re part of the culture. This internship is more than just a foot in the door. It’s a career-shaping journey. What’s in It for You? Whether you're pursuing an undergraduate degree, a master’s, or a postgraduate diploma, this internship is designed to: ✅ Immerses you in hands-on projects aligned with your academic discipline ✅ Pro...
Read more