1.5.4 Lab – Use Wireshark to View Network Traffic
Topology
Objectives
- Part 1: Using Nmap (Optional)
- Part 2: Capture and Analyze Local ICMP Data in Wireshark
- Part 3: Capture and Analyze Remote ICMP Data in Wireshark
Background / Scenario
First, you will use the network scanning and mapping tool Nmap to discover hosts on your network. Nmap is a very popular network discovery and mapping tool that has many applications. You will then use the information gathered with Nmap to view network traffic in Wireshark.
Wireshark is a software protocol analyzer, or “packet sniffer” application, used for network troubleshooting, analysis, software and protocol development, and education. As data streams travel back and forth over the network, the sniffer “captures” each protocol data unit (PDU) and can decode and analyze its content according to the appropriate RFC or other specifications.
Wireshark is a useful tool for anyone working with networks and can be used with labs in the networking courses for data analysis and troubleshooting. In this lab, you will use Wireshark to capture ICMP data packet IP addresses and Ethernet frame MAC addresses.
Note: This lab can be done using a home network, or in a networking learning lab with other students. The instructions will be slightly different depending on your setting.
Required Resources
- 1 PC (Windows with internet access)
- Additional PCs on a local-area network (LAN) will be used to reply to ping requests.
Instructions
Part 1: Using Nmap (Optional)
Note: This portion of the lab is optional. If you are doing this lab on your own, you will use Nmap to identify hosts on your network. If you are working with others, they will supply you with the IP addresses that you need to complete the Wireshark part of this lab. In some locations and environments, network scanning with a tool like Nmap is forbidden. Only use network scanning software on networks that you have explicit permission to scan.
Network Mapper (Nmap) is an open-source tool that allows you to scan IP addresses and ports in a network, discover services and open ports, and detect possible vulnerabilities. It is a good application to be familiar with, especially if you are interested in cybersecurity. You will use Nmap to identify devices on your local network by scanning your LAN.
Note: The following instructions are intended for Windows operating system only. Refer to the documentation at https://nmap.org for detailed information.
Step 1: Download and install Nmap.
a. Navigate to https://nmap.org and select the Download tab to download the latest Nmap stable installer for your system.
b. On your PC, navigate to the location of the downloaded file and double-click the file to start the installation process. Respond to any security messages that may display on your screen.
c. In Nmap Setup wizard, click I Agree to accept the License Agreement.
d. Keep the default settings on the Choose Components window and click Next.
e. You can change the installation location of Nmap. Click Install to continue to install in the default Destination folder.
f. Click Next to create desired shortcuts. Click Finish to close the wizard after Nmap has successfully been installed on your computer.
Step 2: Learn more about Nmap.
a. The service scanme.nmap.org was set up by the Nmap Security Scanner Project to allow you to learn more about Nmap and verify that your Nmap installation is working properly.
Nmap is often used as a command-line tool. In this lab we will use Zenmap, the GUI version of Nmap.
b. Start Nmap. In the Target field in the Zenmap window, enter scanme.nmap.org. In the Profile field, select Quick scan plus. Click Scan to start a new scan.
c. The scan can take a few minutes. In the Nmap Output tab, you will see a small activity indicator next to the executed Nmap command drop down and next to the Details button. This indicates that the scan is in progress. Review the results in the Nmap Output tab to answer a few questions.
List some of the open ports.
Answers can vary. Some of the opened ports are SSH and HTTP.
What is the operating system is identified for the scanme.nmap.org server?
At the time of the writing, scanme.nmap.org is hosted on a system running Linux 5.0.x.
What is the IP address for scanme.nmap.org?
At the time of this writing, the IP address is 45.33.32.156.
For this lab, you will need to retrieve your PC IP address, subnet mask, and its network interface card (NIC) physical address, also called the MAC address.
a. In a command prompt window, enter ipconfig /all, to determine the IP address of your PC interface, its description, and its MAC (physical) address
C:UsersStudent> ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : DESKTOP-NB48BTC Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No Ethernet adapter Ethernet: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) 82577LM Gigabit Network Connection Physical Address. . . . . . . . . :00-26-B9-DD-00-91 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::d809:d939:110f:1b7f%20(Preferred) IPv4 Address. . . . . . . . . . . : 192.168.1.147(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.1 <output omitted>
b. Make note of the following:
- interface name
- IP address
- subnet mask
- default gateway address
- adapter physical address
- adapter physical address
c. Scan your computer by entering its IP address in the target Window. Select the Quick scan plus profile and click Scan.
List some of the opened ports.
Answers will vary.
What is the operating system? Does the listed operating system match the operating system in use on the local host?
Answers will vary. The operating system most likely matches the results for the operating system from the Nmap scan.
d. You can also scan a subnet or entire IP network. To scan your local network, enter the IP address of your computer, followed by its subnet mask, in the Target field. The subnet mask should be in slash notation. For example, a mask of 255.255.255.0 is equivalent to /24 in slash notation.
e. Select the Ping scan profile, because we just want a list of all the available hosts on the LAN. Click Scan.
How many hosts were discovered? Was this number a surprise to you?
Answers will vary.
With the Ping scan results, what other information is available to you?
Answers will vary. From the results, you have the IP and MAC addresses and the hostnames of the hosts that are running.
Try to identify which hosts were discovered based on the manufacturer information that is returned for the host NICs. This information comes from the Organizational Unique Identifier (OUI) of the MAC address. For more information, you can Scan using the Quick scan plus or other profile. Can you identify some of the hosts?
Answers will vary.
f. Make note of one or more IP addresses and the associated MAC addresses from the list.
Part 2: Capture and Analyze Local ICMP Data in Wireshark
In Part 1 of this lab, you will ping another PC on the LAN and capture ICMP requests and replies in Wireshark. You will also look inside the frames captured for specific information. This analysis should help to clarify how packet headers are used to transport data to their destination.
Step 1: Retrieve your PC interface addresses.
For this lab, you will need to retrieve your PC IP address and its network interface card (NIC) physical address, also called the MAC address.
a. In a command prompt window, enter ipconfig /all, to the IP address of your PC interface, its description, and its MAC (physical) address.
C:UsersStudent> ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : DESKTOP-NB48BTC Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No Ethernet adapter Ethernet: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) 82577LM Gigabit Network Connection Physical Address. . . . . . . . . :00-26-B9-DD-00-91 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::d809:d939:110f:1b7f%20(Preferred) IPv4 Address. . . . . . . . . . . : 192.168.1.147(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.1
b. Ask a team member or team members for their PC IP address and provide your PC IP address to them. Do not provide them with your MAC address at this time.
Step 2: Start Wireshark and begin capturing data
a. Navigate to Wireshark. Double-click the desired interface to start the packet capture. Make sure the desired interface has traffic.
b. Information will start scrolling down the top section in Wireshark. The data lines will appear in different colors based on protocol.
This information can scroll by very quickly depending on what communication is taking place between your PC and the LAN. We can apply a filter to make it easier to view and work with the data that is being captured by Wireshark.
For this lab, we are only interested in displaying ICMP (ping) PDUs. Type icmp in the Filter box at the top of Wireshark and press Enter, or click the Apply button (arrow sign) to view only ICMP (ping) PDUs.
c. This filter causes all data in the top window to disappear, but you are still capturing the traffic on the interface. Navigate to a command prompt window and ping the IP address that you received from your team member.
C:> ping 192.168.1.114
Pinging 192.168.1.114 with 32 bytes of data:
Reply from 192.168.1.114: bytes=32 time<1ms TTL=128
Reply from 192.168.1.114: bytes=32 time<1ms TTL=128
Reply from 192.168.1.114: bytes=32 time<1ms TTL=128
Reply from 192.168.1.114: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.1.114:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Notice that you start seeing data appear in the top window of Wireshark again
Note: If the PC of your team member does not reply to your pings, this may be because the PC firewall of the team member is blocking these requests. Please see Appendix A: Allowing ICMP Traffic Through a Firewall for information on how to allow ICMP traffic through the firewall using Windows.
d. Stop capturing data by clicking the Stop Capture icon.
Step 3: Examine the captured data.
In Step 3, examine the data that was generated by the ping requests of your team member PC. Wireshark data is displayed in three sections: 1) The top section displays the list of PDU frames captured with a summary of the IP packet information listed; 2) the middle section lists PDU information for the frame selected in the top part of the screen and separates a captured PDU frame by its protocol layers; and 3) the bottom section displays the raw data of each layer. The raw data is displayed in both hexadecimal and decimal form.
a. Click the first ICMP request PDU frames in the top section of Wireshark. Notice that the Source column has your PC IP address, and the Destination column contains the IP address of the teammate PC that you pinged.
b. With this PDU frame still selected in the top section, navigate to the middle section. Click the plus sign to the left of the Ethernet II row to view the destination and source MAC addresses.
Does the source MAC address match your PC interface?
Yes
Does the destination MAC address in Wireshark match your team member MAC address?
Yes
How is the MAC address of the pinged PC obtained by your PC?
The MAC address is obtained through an ARP request.
Note: In the preceding example of a captured ICMP request, ICMP data is encapsulated inside an IPv4 packet PDU (IPv4 header) which is then encapsulated in an Ethernet II frame PDU (Ethernet II header) for transmission on the LAN.
Part 3: Capture and Analyze Remote ICMP Data in Wireshark
In Part 2, you will ping remote hosts (hosts not on the LAN) and examine the generated data from those pings. You will then determine what is different about this data from the data examined in Part 1.
Step 1: Start capturing data on the interface.
a. Start the data capture again.
b. A window prompts you to save the previously captured data before starting another capture. It is not necessary to save this data. Click Continue without Saving.
c. With the capture active, ping the following three website URLs from a Windows command prompt:
1) www.yahoo.com
2) www.cisco.com
3) www.google.com
Note: When you ping the URLs listed, notice that the Domain Name Server (DNS) translates the URL to an IP address. Note the IP address received for each URL.
d. You can stop capturing data by clicking the Stop Capture icon.
Step 2: Examining and analyzing the data from the remote hosts.
Review the captured data in Wireshark and examine the IP and MAC addresses of the three locations that you pinged. List the destination IP and MAC addresses for all three locations in the space provided.
IP address for www.yahoo.com:
Answers will vary. At the time of writing, the IP address is 98.137.246.7.
MAC address for www.yahoo.com:
Answers will vary. The MAC address is the physical address of the default-gateway LAN interface of the router.
IP address for www.cisco.com:
Answers will vary. At the time of writing, the IP address is 96.7.79.147.
MAC address for www.cisco.com:
Answers will vary. The MAC address is the physical address of the default-gateway LAN interface of the router.
IP address for www.google.com:
Answers will vary. At the time of writing, the IP address is 172.217.14.100.
MAC address for www.google.com:
Answers will vary. The MAC address is the physical address of the default-gateway LAN interface of the router.
What is significant about this information?
The MAC addresses for all three locations are the same.
How does this information differ from the local ping information you received in Part 2?
A ping to a local host returns the MAC address of the PC NIC. A ping to a remote host returns the MAC address of the default gateway LAN interface.
Step 3: Save an open a packet capture file.
You can save the results of your Wireshark session in an external file. This file can then be opened in Wireshark to restore the session for analysis. This is a great way to archive network information and exchange scans with others.
a. Stop packet capture.
b. Go to the Wireshark file menu and select Save.
c. Name the file and choose a convenient location for the saved file.
d. You can open the file later by clicking the file menu and selecting Open.
Reflection Question
Why does Wireshark show the actual MAC address of the local hosts, but not the actual MAC address for the remote hosts?
MAC addresses for remote hosts are not known on the local network, so the MAC address of the default-gateway is used. After the packet reaches the default-gateway router, the Layer 2 information is stripped from the packet and a new Layer 2 header is attached with the destination MAC address of the next hop router.
Appendix A: Allowing ICMP Traffic Through a Firewall
If the members of your team are unable to ping your PC, the firewall may be blocking those requests. This appendix describes how to create a rule in the firewall to allow ping requests. It also describes how to disable the new ICMP rule after you have completed the lab.
Part 1: Create a new inbound rule allowing ICMP traffic through the firewall.
a. Navigate to the Control Panel and click the System and Security option in the Category view.
b. In the System and Security window, click Windows Defender Firewall or Windows Firewall.
c. In the left pane of the Windows Defender Firewall or Windows Firewall window, click Advanced settings.
d. On the Advanced Security window, click the Inbound Rules option on the left sidebar and then click New Rule… on the right sidebar.
e. This launches the New Inbound Rule wizard. On the Rule Type screen, click the Custom radio button and click Next.
f. In the left pane, click the Protocol and Ports option and using the Protocol Type drop-down menu, select ICMPv4, and then click Next.
g. Verify that Any IP address for both the local and remote IP addresses are selected. Click Next to continue.
h. Select Allow the connection. Click Next to continue.
i. By default, this rule applies to all the profiles. Click Next to continue.
j. Name the rule with Allow ICMP Requests. Click Finish to continue. This new rule should allow your team members to receive ping replies from your PC.
Part 2: Disabling or deleting the new ICMP rule.
After the lab is complete, you may want to disable or even delete the new rule you created in Step 1. Using the Disable Rule option allows you to enable the rule again at a later date. Deleting the rule permanently deletes it from the list of inbound rules.
a. On the Advanced Security window, click Inbound Rules in the left pane and then locate the rule you created previously.
b. Right-click the ICMP rule and select Disable Rule if so desired. You may also select Delete if you want to permanently delete it. If you choose this option, you must re-create the rule again to allow ICMP replies.