L

T
O
B
2013 Cisco and
Lab - Us
Topology
Objectives
Part 1: (O
Part 2: Ca
Start
Locat
Part 3: Ca
Start
Locat
Expla
Backgroun
Wireshark
analysis, s
network, t
according
Wireshark
courses fo
Wireshark
packet IP
d/or its affiliates.
sing Wir

Optional) Dow
apture and A
and stop data
te the IP and
apture and A
and stop data
te the IP and
ain why MAC
nd / Scenar
k is a software
software and
the sniffer "ca
g to the appro
k is a useful to
or data analys
k, although it
addresses a
All rights reserve
eshark t
wnload and I
Analyze Loca
a capture of p
MAC address
Analyze Rem
a capture of p
MAC address
addresses fo
rio
e protocol ana
protocol deve
aptures" each
priate RFC o
ool for anyone
sis and troubl
may already
nd Ethernet fr
ed. This docume
to View
Install Wires
al ICMP Data
ping traffic to l
s information
ote ICMP Da
ping traffic to r
s information
r remote host
alyzer, or "pa
elopment, an
protocol data
r other specif
e working wit
leshooting. Th
be installed. I
rame MAC ad
ent is Cisco Publi
Network
hark
in Wireshar
ocal hosts.
in captured P
ata in Wiresh
remote hosts
in captured P
ts are differen
acket sniffer" a
d education. A
a unit (PDU) a
fications.
h networks a
his lab provid
In this lab, yo
ddresses.
ic.
k Traffic
rk
PDUs.
hark
.
PDUs.
nt than the MA
application, u
As data strea
and can deco
nd can be us
des instruction
ou will use Wir
c
AC addresses
sed for netwo
ams travel ba
ode and analy
ed with most
ns for downloa
reshark to ca
P

s of local hos
ork troublesho
ck and forth o
yze its conten
labs in the C
ading and ins
pture ICMP d
Page 1 of 20
sts.
ooting,
over the
nt
CNA
stalling
data
L

R
P
S
Lab - Using W
2013 Cisco and
Required R
1 PC
Additi
Part 1: (
Wireshark
source so
1 of this la
Note: If W
is not inst
Step 1: Do
a. Wires
b. Click
c. Choo
instan
Wireshark to
d/or its affiliates.
Resources
(Windows 7,
onal PC(s) on
(Optional
k has become
oftware is ava
ab, you will do
Wireshark is a
alled on your
ownload Wir
shark can be d
Download W
se the softwa
nce, if you hav
View Netwo
All rights reserve
Vista, or XP w
n a local-area
l) Downlo
e the industry
ilable for man
ownload and
lready installe
PC, check w
reshark.
downloaded f
Wireshark.
are version yo
ve a 64-bit PC
ork Traffic
ed. This docume
with Internet a
a network (LA
oad and I
standard pac
ny different op
install the Wi
ed on your PC
with your instru
from www.wir
ou need based
C running Win
ent is Cisco Publi
access)
AN) will be use
nstall Wi
cket-sniffer pr
perating syste
reshark softw
C, you can sk
uctor about yo
reshark.org.
d on your PC
ndows, choos
ic.
ed to reply to
reshark
rogram used
ems, including
ware program
kip Part 1 and
our academy
Cs architectur
se Windows
ping request
by network e
g Windows, M
on your PC.
d go directly to
s software do
re and operati
Installer (64-

P
ts.
ngineers. Thi
Mac, and Linu
o Part 2. If Wi
ownload polic

ing system. F
-bit).
Page 2 of 20
is open
ux. In Part
ireshark
cy.
For
L

S

Lab - Using W
2013 Cisco and
After
brows
folder
Step 2: Ins
a. The d
Doub
b. Respo
Wires
It is re
Yes to
c. If this
navig
Wireshark to
d/or its affiliates.
making a sele
ser and opera
r.
stall Wiresh
downloaded fi
le-click the file
ond to any se
shark on your
ecommended
o uninstall the
is the first tim
ate to the Wir
View Netwo
All rights reserve
ection, the do
ating system t
ark.
le is named W
e to start the
ecurity messa
PC, you will
that you rem
e previous ve
me to install W
reshark Setup

ork Traffic
ed. This docume
ownload shou
that you use.
Wireshark-wi
installation pr
ages that may
be prompted
move the old v
rsion of Wires
Wireshark, or a
p wizard. Clic
ent is Cisco Publi
ld start. The l
For Windows
in64-x.x.x.ex
rocess.
y display on yo
to uninstall th
version of Wir
shark.
after you hav
k Next.
ic.
location of the
s users, the d
xe, where x re
our screen. If
he old version
reshark prior t
ve completed
e downloaded
efault location
epresents the
f you already
n before insta
to installing a

the uninstall
P
d file depends
n is the Down
e version num
have a copy
alling the new
nother versio
process, you

Page 3 of 20
s on the
nloads
mber.
of
version.
on. Click
will
L

Lab - Using W
2013 Cisco and
d. Contin
displa
e. Keep
Wireshark to
d/or its affiliates.
nue advancin
ays.
the default se
View Netwo
All rights reserve
ng through the
ettings on the

ork Traffic
ed. This docume
e installation p
e Choose Com
ent is Cisco Publi
process. Click
mponents win
ic.
k I Agree whe
ndow and clic
en the Licens
ck Next.
P
se Agreement


Page 4 of 20
t window
L

Lab - Using W
2013 Cisco and
f. Choo
g. You c
recom
Wireshark to
d/or its affiliates.
se your desir
can change th
mmended that
View Netwo
All rights reserve
ed shortcut o
he installation
t you keep the

ork Traffic
ed. This docume
ptions and cli
location of W
e default loca
ent is Cisco Publi
ick Next.
Wireshark, but
ation.
ic.
t unless you hhave limited d
P

disk space, it

Page 5 of 20
is
L

Lab - Using W
2013 Cisco and
h. To ca
your P
versio
clickin
i. Finish
j. Wires
Next
Wireshark to
d/or its affiliates.
apture live net
PC, the Instal
on that comes
ng the Install
h the WinPcap
shark starts in
when the inst
View Netwo
All rights reserve
twork data, W
l check box w
s with Wiresha
WinPcap x.x
p Setup Wiza
nstalling its file
tallation is co
ork Traffic
ed. This docume
WinPcap must
will be unchec
ark, it is recom
x.x (version n
ard if installing
es and a sepa
mplete.
ent is Cisco Publi
be installed o
cked. If your in
mmend that y
number) chec
g WinPcap.
arate window
ic.
on your PC. I
nstalled versi
you allow the
ck box.
displays with
f WinPcap is
ion of WinPca
newer versio
h the status of
P
already insta
ap is older tha
on to be instal

f the installati

Page 6 of 20
alled on
an the
lled by
ion. Click
L

P
S

Lab - Using W
2013 Cisco and
k. Click
Part 2: C
In Part 2 o
Wireshark
clarify how
Step 1: Re
For this la
address, a
Wireshark to
d/or its affiliates.
Finish to com
Capture a
of this lab, yo
k. You will als
w packet head
etrieve your
ab, you will ne
also called th
View Netwo
All rights reserve
mplete the Wi
and Analy
u will ping an
so look inside
ders are used
PCs interf
eed to retrieve
e MAC addre

ork Traffic
ed. This docume
reshark insta
yze Local
other PC on t
the frames c
d to transport
face addres
e your PCs IP
ess.
ent is Cisco Publi
all process.
ICMP Da
the LAN and
aptured for sp
data to their
ses.
P address and
ic.
ata in Wir
capture ICMP
pecific inform
destination.
d its network
reshark
P requests an
mation. This an
interface card
P

nd replies in
nalysis should
d (NIC) physi
Page 7 of 20
d help to
ical
L

S
Lab - Using W
2013 Cisco and
a. Open
b. Note y
c. Ask a
them
Step 2: Sta
a. On yo
menu
b. After W
Note:
Wireshark to
d/or its affiliates.
a command
your PC inter
a team membe
with your MA
art Wiresha
our PC, click t
. Double-click
Wireshark sta
Clicking the
View Netwo
All rights reserve
window, type
rfaces IP add
er for their PC
AC address at
rk and begi
the Windows
k Wireshark.
arts, click Inte
first interface
ork Traffic
ed. This docume
e ipconfig /al
dress and MA
Cs IP address
t this time.
in capturing
Start button

erface List.
e icon in the ro
ent is Cisco Publi
l, and then pr
AC (physical) a
s and provide
g data.
to see Wiresh
ow of icons al
ic.
ress Enter.
address.
e your PCs IP
hark listed as
lso opens the
P address to t
s one of the pr
e Interface Lis
P
them. Do not
rograms on th
st.
Page 8 of 20

provide
he pop-up

L

Lab - Using W
2013 Cisco and
c. On th
LAN.
Note:
button
Step
d. After y
Wireshark to
d/or its affiliates.
e Wireshark:
If multiple int
n, and then cl
1b. Close the
you have che
View Netwo
All rights reserve
Capture Inte
terfaces are l
ick the 802.3
e Interface De
ecked the corr

ork Traffic
ed. This docume
rfaces window
isted and you
(Ethernet) ta
etails window
rect interface
ent is Cisco Publi
w, click the ch
u are unsure w
ab. Verify tha
after verifying
, click Start to
ic.
heck box nex
which interfac
at the MAC ad
g the correct i
o start the da
xt to the interfa
ce to check, c
ddress matche
interface.
ta capture.
P
ace connecte
click the Deta
es what you n

Page 9 of 20
ed to your

ails
noted in

L

Lab - Using W
2013 Cisco and
Inform
colors
e. This i
your P
captu
the Fi
(ping)
Wireshark to
d/or its affiliates.
mation will sta
s based on pr
nformation ca
PC and the LA
red by Wiresh
lter box at the
) PDUs.
View Netwo
All rights reserve
art scrolling do
rotocol.
an scroll by ve
AN. We can a
hark. For this
e top of Wires

ork Traffic
ed. This docume
own the top s
ery quickly de
apply a filter t
lab, we are o
shark and pre
ent is Cisco Publi
ection in Wire
epending on w
to make it eas
only interested
ess Enter or c
ic.
eshark. The d
what commun
sier to view an
d in displayin
click on the Ap
data lines will
nication is tak
nd work with
ng ICMP (ping
pply button to
Pa
appear in diff
king place bet
the data that
g) PDUs. Type
o view only IC

age 10 of 20
fferent

tween
is being
e icmp in
CMP
L

Lab - Using W
2013 Cisco and
f. This f
interfa
receiv
Wires
Note:
blocki
on ho
g. Stop c
Wireshark to
d/or its affiliates.
filter causes a
ace. Bring up
ved from your
shark again.
If your team
ing these req
ow to allow IC
capturing dat
View Netwo
All rights reserve
all data in the
the comman
r team membe
members PC
uests. Please
MP traffic thro
a by clicking t

ork Traffic
ed. This docume
top window to
d prompt win
er. Notice tha
C does not re
e see Append
ough the firew
the Stop Cap
ent is Cisco Publi
o disappear,
dow that you
at you start se
eply to your pi
dix A: Allowing
wall using Win
pture icon.
ic.
but you are s
opened earli
eeing data ap
ngs, this may
g ICMP Traffi
ndows 7.
still capturing
ier and ping th
pear in the to
y be because
c Through a F

Pa
the traffic on
he IP address
op window of
their PC firew
Firewall for in
age 11 of 20
the
s that you

wall is
nformation
L

S

Lab - Using W
2013 Cisco and
Step 3: Ex
In Step 3,
data is dis
summary
in the top
section di
a. Click
has y
Wireshark to
d/or its affiliates.
amine the c
examine the
splayed in thr
of the IP pac
part of the sc
splays the raw
the first ICMP
our PCs IP a
View Netwo
All rights reserve
captured da
e data that wa
ee sections: 1
cket informatio
creen and sep
w data of eac
P request PDU
address, and t

ork Traffic
ed. This docume
ata.
as generated b
1) The top se
on listed, 2) th
parates a cap
ch layer. The
U frames in th
the Destinatio
ent is Cisco Publi
by the ping re
ection displays
he middle sec
ptured PDU fra
raw data is d
he top section
on contains th
ic.
equests of you
s the list of PD
ction lists PDU
ame by its pr
isplayed in bo
n of Wireshar
he IP address
ur team mem
DU frames ca
U information
rotocol layers,
oth hexadecim
rk. Notice that
s of the teamm
Pa
mbers PC. Wi
aptured with a
n for the frame
, and 3) the b
mal and decim
t the Source c
mates PC yo
age 12 of 20
reshark
a
e selected
bottom
mal form.

column
u pinged.

L

P
S
Lab - Using W
2013 Cisco and
b. With t
the le
Does

Does

How i

Note:
packe
for tra
Part 3: C
In Part 3,
pings. Yo
Step 1: Sta
a. Click
Wireshark to
d/or its affiliates.
this PDU fram
ft of the Ethe
the Source M
the Destinati
s the MAC ad
In the preced
et PDU (IPv4
ansmission on
Capture a
you will ping
u will then de
art capturin
the Interface
View Netwo
All rights reserve
me still selecte
rnet II row to
MAC address
on MAC addr
ddress of the
ding example
header) whic
n the LAN.
and Analy
remote hosts
termine what
g data on in
e List icon to
ork Traffic
ed. This docume
ed in the top s
view the Des
match your P
ress in Wiresh
pinged PC o
e of a captured
ch is then enc
yze Remo
s (hosts not o
t is different a
nterface.
bring up the l
ent is Cisco Publi
section, navig
stination and S
PCs interface
hark match th
btained by yo
d ICMP reque
capsulated in a
ote ICMP
n the LAN) an
about this data
ist PC interfa
ic.
gate to the mi
Source MAC
e?
he MAC addre
our PC?
est, ICMP dat
an Ethernet I
Data in W
nd examine th
a from the da
aces again.
iddle section.
addresses.
ess that of yo
ta is encapsu
I frame PDU
Wireshark
he generated
ta examined

Pa
Click the plu
our team mem
ulated inside a
(Ethernet II h
k
d data from th
in Part 2.
age 13 of 20
s sign to

mbers?
an IPv4
header)
ose
L

Lab - Using W
2013 Cisco and
b. Make
c. A win
neces
Wireshark to
d/or its affiliates.
sure the che
dow prompts
ssary to save
View Netwo
All rights reserve
eck box next to
to save the p
this data. Clic

ork Traffic
ed. This docume
o the LAN int
previously cap
ck Continue
ent is Cisco Publi
terface is chec
ptured data b
without Sav
ic.
cked, and the
before starting
ving.
en click Start
g another cap

Pa
.
pture. It is not
age 14 of 20

L

S
Lab - Using W
2013 Cisco and
d. With t
1) w
2) w
3) w
Note:
an IP
e. You c
Step 2: Ex
a. Revie
you p
1
st
Lo
2
nd
Lo
3
rd
Lo
Wireshark to
d/or its affiliates.
the capture a
www.yahoo.co
www.cisco.com
www.google.co
When you p
address. Not
can stop captu
amining an
ew the capture
inged. List th
cation: IP
ocation: IP
ocation: IP
View Netwo
All rights reserve
ctive, ping the
om
m
om
ing the URLs
te the IP addr
uring data by
d analyzing
ed data in Wi
e destination
:
:
:
ork Traffic
ed. This docume
e following th
listed, notice
ress received
clicking the S
g the data fr
reshark, exam
IP and MAC



ent is Cisco Publi
ree website U
e that the Dom
for each URL
Stop Capture
rom the rem
mine the IP an
addresses fo
MAC:
MAC:
MAC:
ic.
URLs:
main Name Se
L.
e icon.
mote hosts.
nd MAC addr
or all three loc
erver (DNS) t

resses of the
cations in the
Pa

translates the
three location
space provid
age 15 of 20
e URL to
ns that
ded.
L

R
A
S
Lab - Using W
2013 Cisco and
b. What

c. How d


Reflection
Why does
remote ho


Appendix A
If the mem
appendix
the new IC
Step 1: Cre
a. From
b. From
Wireshark to
d/or its affiliates.
is significant
does this info
s Wireshark s
osts?
A: Allowing
mbers of your
describes ho
CMP rule afte
eate a new
the Control P
the System a
View Netwo
All rights reserve
about this inf
rmation differ
how the actu
g ICMP Tra
r team are una
ow to create a
er you have co
inbound ru
Panel, click th
and Security w
ork Traffic
ed. This docume
formation?
r from the loca
al MAC addre
affic Throu
able to ping y
rule in the fir
ompleted the
le allowing
e System an
window, click
ent is Cisco Publi
al ping inform
ess of the loc
ugh a Firew
your PC, the f
rewall to allow
lab.
ICMP traffi
nd Security o
Windows Fi
ic.
mation you rec
cal hosts, but
wall
firewall may b
w ping reques
c through t
option.
irewall.
ceived in Part
not the actua
be blocking th
sts. It also des
the firewall.
Pa
t 2?
al MAC addres
hose requests
scribes how t



age 16 of 20
ss for the
s. This
o disable
L

Lab - Using W
2013 Cisco and
c. In the
d. On th
New R
Wireshark to
d/or its affiliates.
e left pane of t
e Advanced S
Rule on the
View Netwo
All rights reserve
the Windows
Security wind
e right sideba

ork Traffic
ed. This docume
Firewall wind
ow, choose t
ar.
ent is Cisco Publi
dow, click Adv
he Inbound R
ic.
vanced setti
Rules option
ngs.
on the left sid
Pa

debar and the
age 17 of 20
en click

L

Lab - Using W
2013 Cisco and
e. This l
and c
f. In the
ICMP
Wireshark to
d/or its affiliates.
aunches the
click Next
e left pane, cli
Pv4, and then
View Netwo
All rights reserve
New Inbound
ck the Protoc
click Next.
ork Traffic
ed. This docume
d Rule wizard
col and Ports
ent is Cisco Publi
. On the Rule
s option and u
ic.
e Type screen
using the Pro
n, click the Cu
otocol type dro
Pa
ustom radio b

op-down men

age 18 of 20
button
nu, select
L

S
Lab - Using W
2013 Cisco and
g. In the
This n
Step 2: Dis
After the l
the Disab
deletes it
a. On th
create
Wireshark to
d/or its affiliates.
e left pane, cli

new rule shou
sabling or d
ab is complet
ble Rule optio
from the list o
e Advanced S
ed in Step 1.
View Netwo
All rights reserve
ck the Name
uld allow your
deleting the
te, you may w
on allows you
of Inbound Ru
Security wind
ork Traffic
ed. This docume
option and in
r team membe
new ICMP
want to disabl
to enable the
ules.
ow, in the left
ent is Cisco Publi
n the Name fie
ers to receive
rule.
e or even del
e rule again a
t pane, click I
ic.
eld, type Allo
e ping replies
lete the new r
at a later date
Inbound Rule
ow ICMP Req
from your PC
rule you creat
. Deleting the
es and then l
Pa
quests. Click

C.
ted in Step 1.
e rule perman
ocate the rule
age 19 of 20
Finish.
. Using
ently
e you

L

Lab - Using W
2013 Cisco and
b. To dis
chang
status
c. To pe
again
Wireshark to
d/or its affiliates.
sable the rule
ge to Enable
s of the rule a
ermanently de
to allow ICM
View Netwo
All rights reserve
e, click the Dis
Rule. You ca
also shows in
elete the ICMP
P replies.
ork Traffic
ed. This docume
sable Rule op
an toggle back
the Enabled
P rule, click D
ent is Cisco Publi
ption. When y
k and forth be
column of the
Delete. If you
ic.
you choose th
etween Disab
e Inbound Ru
choose this o
his option, yo
ble Rule and E
les list.
option, you m
Pa
u will see this
Enable Rule;
ust re-create

age 20 of 20
s option
the

the rule