Wireshark Assignment Instructions

Wireshark Assignment Instructions

Assignment: Wireshark Exploration

I want you to install and run Wireshark, gather some data, and begin to decipher/understand the information it is giving you.  Use the Wireshark Exploration submission link to submit a document including screenshots of you running Wireshark and a detailed description of what the Wireshark output is telling you. Run Wireshark to look at both local network activity and remote network activity.

I have created a separate Wireshark Getting Started tutorial to help you get started by successfully connecting, capturing, and interpreting to a site and file.

Do not submit the read out or interpretation of the tutorial for your assignment. If you do, you will not receive any points for the assignment. It is just a tutorial to get you acquainted with the most basic feature of Wireshark. After you have run through the tutorial and just looked at your network traffic, work through the activity below and you can filter and see the process of data transmission in layer 2 and 3.

A good way to get started with this assignment is to ping your Raspberry Pi. So, I would suggest completing the Pie setup assignment prior to completing this Wireshark assignment.

  1. Open Wireshark on the host (should be you laptop or desktop)
  2. Click the Wi-Fi adapter (assuming you’re not using a wired Ethernet connection). This will start a live capture.
  3. In the filter box (below the toolbar at the top), type arp or icmp and hit Enter. – this will filter the captured data.
  4. In the command line on the host, ping the IP address of your Pi.
  5. In Wireshark, you should see an ARP Request, an ARP Reply, as well as four ICMP Echo Requests and Replies. Click the red square icon (second from the left) on the toolbar at the top to stop the capture.
  6. In the middle Wireshark pane (Packet Details), look for the first ARP, and expand the triangle next to Ethernet_II and the triangle next to Address Resolution Protocol (Request).

Things to note

  • In the Ethernet frame, the source MAC address is the MAC address of the host machine, and the destination MAC address is the Layer 2 Broadcast Address (12 Fs).
  • In the ARP (which is encapsulated inside the Ethernet frame), the Sender MAC and Sender IP address belong to the host machine. Also notice that the Target MAC is all 0s (the sender left that field blank), but the Target IP address is that of the Pi.
  • In the top pane (Packet List), Wireshark turns this into a nice English question in the Info column.
  • The next frame, below the Packet List, is the response. Compare the fields in the Ethernet frame and the ARP in this response to the frame above, the request. ARP is a pure Layer 2 protocol. It is not routable. There is no IP header. Even though you did see IP addresses in the ARP fields, that does not make it a Layer 3 routable protocol.

Now that the host machine got the ARP reply, with the MAC address of the Pi, it can send the ICMP Echo Replies. The next 8 rows should be 4 ICMP Echo Requests and 4 ICMP Echo Replies. ICMP is a Layer 3 protocol.

  1. Select the first ICMP Echo Request.
  2. Notice how ICMP is encapsulated inside of an IP packet, which is encapsulated inside an Ethernet frame.
  3. Expand the fields of all protocols, by clicking the triangles.

Notice with the ICMP Echo Requests that the source MAC address and the source IP address are those of the host machine, while the destination MAC address and the destination IP address are those of the Pi.

  • For the ICMP Echo Replies, the pairs are reversed. This is local communication. The source determined that the destination was on the same subnet by first logically ANDing its IP address with its subnet mask, and then logically ANDing the destination IP address subnet mask with the source subnet mask. When both resultant network IDs came out the same, the source realized it had to ARP for the MAC address of the actual destination.

Now try Viewing Remote Communication (not on your local network)

  1. Start a new Wireshark capture by clicking the blue fin (first icon from the left), with the same filter as in Step 3 under Use Wireshark to view network activity (arp or icmp).
  2. Open up a new command line interface with Administrator privileges, by clicking the Start button, typing cmd, right clicking on the icon, selecting Run As Administrator, and clicking the Yes button.
  3. At the prompt, type arp -d, which will clear the host’s ARP cache. Then, immediately type ping www.google.com (Links to an external site.). You will have a new set of ARPs and ICMPs.

In a Word document I want you to try looking at the general traffic on your network, what do you see? Interpret it and use screenshots. Do not just resubmit the tutorial. You can submit the Pi activity above for credit (10pts) but you will need provide additional information about the traffic on your network. So run Wireshark and then try to to explain what you are seeing on your network (10pts).

Next, Ping a remote location (not Google.com or TWU.edu) and use Wireshark to figure out its ip address, MAC address and other components. Again, include screenshots and explain in detail what you see and what you found (10pts).

In your document address the following (10 pts):

  1. Explain what is the difference in ICMP Echo Requests sent from your machine, when pinging a local destination vs. a remote destination.
  2. Explain what is the difference in ICMP Echo Replies sent to your machine, when pinging a local destination vs. a remote destination.

NOTE:  All screenshots should show your application (Wireshark, SSH client, etc.) running in a non-maximized window, and should show part of your desktop background as well as the time/date in the taskbar/menu bar/status bar.

I have set up an optional discussion folder in Canvas called Wireshark Exploration for you to use to ask questions  and provide insight to each other in the completion of this assignment.  You are NOT required to participate in this discussion (unlike other discussions) as it is just for support in this assignment. Do not post direct answers or tutorials in this discussion.

Submit your document to the submission link titled Wireshark Exploration dropbox on Canvas.

NOTE:  All screenshots should show your application (Wireshark, SSH client, etc.) running in a non-maximized window, and should show part of your desktop background as well as the time/date in the taskbar/menu bar/status bar.