sing Wir Optional Dow apture and A and stop data te the IP and apture and A and stop data te the IP and ain why MAC nd / Scenar k is a software software and the sniffer "ca g to the appr
Trang 1L
T
O
B
© 2013 Cisco and
Lab - Us
Topology
Objectives
Part 1: (O
Part 2: Ca
Start
Locat
Part 3: Ca
Start
Locat
Expla
Backgroun
Wireshark
analysis, s
network, t
according
Wireshark
courses fo
Wireshark
packet IP
d/or its affiliates
sing Wir
Optional) Dow
apture and A
and stop data
te the IP and
apture and A
and stop data
te the IP and
ain why MAC
nd / Scenar
k is a software
software and
the sniffer "ca
g to the appro
k is a useful to
or data analys
k, although it
addresses a
All rights reserve
eshark t
wnload and I Analyze Loca
a capture of p MAC address
Analyze Rem
a capture of p MAC address addresses fo
rio
e protocol ana protocol deve aptures" each priate RFC o ool for anyone sis and troubl may already
nd Ethernet fr
ed This docume
to View
Install Wires
al ICMP Data
ping traffic to l
s information
ote ICMP Da
ping traffic to r
s information
r remote host
alyzer, or "pa elopment, an protocol data
r other specif
e working wit leshooting Th
be installed I rame MAC ad
ent is Cisco Publi
Network
hark
in Wireshar
ocal hosts
in captured P
ata in Wiresh
remote hosts
in captured P
ts are differen
acket sniffer" a
d education A
a unit (PDU) a fications
h networks a his lab provid
In this lab, yo ddresses
ic.
k Traffic
rk
PDUs
hark
PDUs
nt than the MA
application, u
As data strea and can deco
nd can be us des instruction
ou will use Wir
c
AC addresses
sed for netwo ams travel ba ode and analy
ed with most
ns for downloa reshark to ca
P
s of local hos
ork troublesho
ck and forth o yze its conten
labs in the C ading and ins pture ICMP d
Page 1 of 20
sts
ooting, over the
nt
CNA stalling data
Trang 2R
P
S
© 2013 Cisco and
Required R
1 PC
Additi
Part 1: (
Wireshark
source so
1 of this la
Note: If W
is not inst
Step 1: Do
a Wires
b Click
c Choo
instan
d/or its affiliates
Resources
(Windows 7,
onal PC(s) on
(Optional
k has become
oftware is ava
ab, you will do
Wireshark is a
alled on your
ownload Wir
shark can be d
Download W
se the softwa
nce, if you hav
All rights reserve
Vista, or XP w
n a local-area
l) Downlo
e the industry ilable for man ownload and lready installe
PC, check w
reshark
downloaded f
Wireshark
are version yo
ve a 64-bit PC
ed This docume
with Internet a
a network (LA
oad and I
standard pac
ny different op install the Wi
ed on your PC with your instru
from www.wir
ou need based
C running Win
ent is Cisco Publi
access) AN) will be use
nstall Wi
cket-sniffer pr perating syste reshark softw
C, you can sk uctor about yo
reshark.org
d on your PC ndows, choos
ic.
ed to reply to
reshark
rogram used ems, including ware program kip Part 1 and our academy
C’s architectur
se Windows
ping request
by network e
g Windows, M
on your PC
d go directly to
’s software do
re and operati
Installer
(64-P
ts
ngineers Thi Mac, and Linu
o Part 2 If Wi ownload polic
ing system F
-bit)
Page 2 of 20
is open
ux In Part
ireshark
cy
For
Trang 3S
© 2013 Cisco and
After
brows
folder
Step 2: Ins
a The d
Doub
b Respo
Wires
It is re
Yes to
c If this
navig
d/or its affiliates
making a sele
ser and opera
r
stall Wiresh
downloaded fi
le-click the file
ond to any se
shark on your
ecommended
o uninstall the
is the first tim
ate to the Wir
All rights reserve
ection, the do ating system t
ark
le is named W
e to start the ecurity messa
PC, you will that you rem
e previous ve
me to install W reshark Setup
ed This docume
ownload shou that you use
Wireshark-wi
installation pr ages that may
be prompted move the old v rsion of Wires
Wireshark, or a
p wizard Clic
ent is Cisco Publi
ld start The l For Windows
in64-x.x.x.ex
rocess
y display on yo
to uninstall th version of Wir shark
after you hav
k Next
ic.
location of the
s users, the d
xe, where x re
our screen If
he old version reshark prior t
ve completed
e downloaded efault location
epresents the
f you already
n before insta
to installing a
the uninstall
P
d file depends
n is the Down
e version num
have a copy alling the new nother versio
process, you
Page 3 of 20
s on the
nloads
mber
of version
on Click
will
Trang 4© 2013 Cisco and
d Contin
displa
e Keep
d/or its affiliates
nue advancin
ays
the default se
All rights reserve
ng through the
ettings on the
ed This docume
e installation p
e Choose Com
ent is Cisco Publi
process Click
mponents win
ic.
k I Agree whe
ndow and clic
en the Licens
ck Next
P
se Agreement
Page 4 of 20
t window
Trang 5© 2013 Cisco and
f Choo
g You c
recom
d/or its affiliates
se your desir
can change th
mmended that
All rights reserve
ed shortcut o
he installation
t you keep the
ed This docume
ptions and cli
location of W
e default loca
ent is Cisco Publi
ick Next
Wireshark, but ation
ic.
t unless you hhave limited d
P
disk space, it
Page 5 of 20
is
Trang 6© 2013 Cisco and
h To ca
your P
versio
clickin
i Finish
j Wires
Next
d/or its affiliates
apture live net
PC, the Instal
on that comes
ng the Install
h the WinPcap
shark starts in
when the inst
All rights reserve
twork data, W
l check box w
s with Wiresha
WinPcap x.x
p Setup Wiza
nstalling its file tallation is co
ed This docume
WinPcap must will be unchec ark, it is recom
x.x (version n
ard if installing
es and a sepa mplete
ent is Cisco Publi
be installed o cked If your in mmend that y number) chec
g WinPcap
arate window
ic.
on your PC I nstalled versi you allow the
ck box
displays with
f WinPcap is ion of WinPca newer versio
h the status of
P
already insta
ap is older tha
on to be instal
f the installati
Page 6 of 20
alled on
an the lled by
ion Click
Trang 7P
S
© 2013 Cisco and
k Click
Part 2: C
In Part 2 o
Wireshark
clarify how
Step 1: Re
For this la
address, a
d/or its affiliates
Finish to com
Capture a
of this lab, yo
k You will als
w packet head
etrieve your
ab, you will ne
also called th
All rights reserve
mplete the Wi
and Analy
u will ping an
so look inside ders are used
PC’s interf
eed to retrieve
e MAC addre
ed This docume
reshark insta
yze Local
other PC on t the frames c
d to transport
face addres
e your PC’s IP ess
ent is Cisco Publi
all process
ICMP Da
the LAN and aptured for sp data to their
ses
P address and
ic.
ata in Wir
capture ICMP pecific inform destination
d its network
reshark
P requests an mation This an
interface card
P
nd replies in nalysis should
d (NIC) physi
Page 7 of 20
d help to
ical
Trang 8S
© 2013 Cisco and
a Open
b Note y
c Ask a
them
Step 2: Sta
a On yo
menu
b After W
Note:
d/or its affiliates
a command
your PC inter
a team membe
with your MA
art Wiresha
our PC, click t
Double-click
Wireshark sta
Clicking the
All rights reserve
window, type rface’s IP add
er for their PC
AC address at
rk and begi
the Windows
k Wireshark.
arts, click Inte
first interface
ed This docume
e ipconfig /al
dress and MA
C’s IP address
t this time
in capturing
Start button erface List
e icon in the ro
ent is Cisco Publi
l, and then pr
AC (physical) a
s and provide
g data
to see Wiresh
ow of icons al
ic.
ress Enter
address
e your PC’s IP
hark listed as
lso opens the
P address to t
s one of the pr
e Interface Lis
P
them Do not
rograms on th
st
Page 8 of 20
provide
he pop-up
Trang 9© 2013 Cisco and
c On th
LAN
Note:
button
Step
d After y
d/or its affiliates
e Wireshark:
If multiple int
n, and then cl
1b Close the
you have che
All rights reserve
Capture Inte
terfaces are l
ick the 802.3
e Interface De
ecked the corr
ed This docume
rfaces window
isted and you
(Ethernet) ta
etails window
rect interface
ent is Cisco Publi
w, click the ch
u are unsure w
ab Verify tha after verifying
, click Start to
ic.
heck box nex
which interfac
at the MAC ad
g the correct i
o start the da
xt to the interfa
ce to check, c ddress matche interface
ta capture
P
ace connecte
click the Deta
es what you n
Page 9 of 20
ed to your
ails
noted in
Trang 10© 2013 Cisco and
Inform
colors
e This i
your P
captu
the Fi
(ping)
d/or its affiliates
mation will sta
s based on pr
nformation ca
PC and the LA
red by Wiresh
lter box at the
) PDUs
All rights reserve
art scrolling do rotocol
an scroll by ve
AN We can a hark For this
e top of Wires
ed This docume
own the top s
ery quickly de apply a filter t lab, we are o shark and pre
ent is Cisco Publi
ection in Wire
epending on w
to make it eas only interested ess Enter or c
ic.
eshark The d
what commun sier to view an
d in displayin
click on the Ap
data lines will
nication is tak
nd work with
ng ICMP (ping
pply button to
Pa
appear in diff
king place bet the data that g) PDUs Type
o view only IC
age 10 of 20
fferent
tween
is being
e icmp in
CMP
Trang 11© 2013 Cisco and
f This f
interfa
receiv
Wires
Note:
blocki
on ho
g Stop c
d/or its affiliates
filter causes a
ace Bring up
ved from your
shark again
If your team
ing these req
ow to allow IC
capturing dat
All rights reserve
all data in the the comman
r team membe
member’s PC uests Please
MP traffic thro
a by clicking t
ed This docume
top window to
d prompt win
er Notice tha
C does not re
e see Append ough the firew
the Stop Cap
ent is Cisco Publi
o disappear, dow that you
at you start se
eply to your pi dix A: Allowing wall using Win
pture icon
ic.
but you are s opened earli eeing data ap
ngs, this may
g ICMP Traffi ndows 7
still capturing ier and ping th pear in the to
y be because
c Through a F
Pa
the traffic on
he IP address
op window of
their PC firew Firewall for in
age 11 of 20
the
s that you
wall is nformation
Trang 12S
© 2013 Cisco and
Step 3: Ex
In Step 3,
data is dis
summary
in the top
section di
a Click
has y
d/or its affiliates
amine the c
examine the
splayed in thr
of the IP pac
part of the sc
splays the raw
the first ICMP
our PC’s IP a
All rights reserve
captured da
e data that wa
ee sections: 1 cket informatio creen and sep
w data of eac
P request PDU address, and t
ed This docume
ata
as generated b 1) The top se
on listed, 2) th parates a cap
ch layer The
U frames in th the Destinatio
ent is Cisco Publi
by the ping re ection displays
he middle sec ptured PDU fra raw data is d
he top section
on contains th
ic.
equests of you
s the list of PD ction lists PDU ame by its pr isplayed in bo
n of Wireshar
he IP address
ur team mem
DU frames ca
U information rotocol layers, oth hexadecim
rk Notice that
s of the teamm
Pa
mber’s PC Wi aptured with a
n for the frame , and 3) the b mal and decim
t the Source c mate’s PC yo
age 12 of 20
reshark
a
e selected bottom mal form
column
u pinged
Trang 13P
S
© 2013 Cisco and
b With t
the le
Does
Does
How i
Note:
packe
for tra
Part 3: C
In Part 3,
pings Yo
Step 1: Sta
a Click
d/or its affiliates
this PDU fram
ft of the Ethe
the Source M
the Destinati
s the MAC ad
In the preced
et PDU (IPv4
ansmission on
Capture a
you will ping
u will then de
art capturin
the Interface
All rights reserve
me still selecte rnet II row to
MAC address
on MAC addr
ddress of the
ding example header) whic
n the LAN
and Analy
remote hosts termine what
g data on in
e List icon to
ed This docume
ed in the top s view the Des
match your P
ress in Wiresh
pinged PC o
e of a captured
ch is then enc
yze Remo
s (hosts not o
t is different a
nterface
bring up the l
ent is Cisco Publi
section, navig stination and S
PC’s interface
hark match th
btained by yo
d ICMP reque capsulated in a
ote ICMP
n the LAN) an about this data
ist PC interfa
ic.
gate to the mi Source MAC
e?
he MAC addre
our PC?
est, ICMP dat
an Ethernet I
Data in W
nd examine th
a from the da
aces again
iddle section
addresses
ess that of yo
ta is encapsu
I frame PDU
Wireshark
he generated
ta examined
Pa
Click the plu
our team mem
ulated inside a (Ethernet II h
k
d data from th
in Part 2
age 13 of 20
s sign to
mber’s?
an IPv4 header)
ose
Trang 14© 2013 Cisco and
b Make
c A win
neces
d/or its affiliates
sure the che
dow prompts
ssary to save
All rights reserve
eck box next to
to save the p this data Clic
ed This docume
o the LAN int
previously cap
ck Continue
ent is Cisco Publi
terface is chec
ptured data b
without Sav
ic.
cked, and the
before starting
ving
en click Start
g another cap
Pa
pture It is not
age 14 of 20
Trang 15S
© 2013 Cisco and
d With t
1) w
2) w
3) w
Note:
an IP
e You c
Step 2: Ex
a Revie
you p
1st Lo
2nd Lo
3rd Lo
d/or its affiliates
the capture a
www.yahoo.co
www.cisco.com
www.google.co
When you p
address Not
can stop captu
amining an
ew the capture
inged List th
cation: IP
ocation: IP
ocation: IP
All rights reserve
ctive, ping the
om
m
om
ing the URLs
te the IP addr uring data by
d analyzing
ed data in Wi
e destination :
: :
ed This docume
e following th
listed, notice ress received
clicking the S
g the data fr
reshark, exam
IP and MAC
ent is Cisco Publi
ree website U
e that the Dom for each URL
Stop Capture
rom the rem
mine the IP an addresses fo MAC:
MAC:
MAC:
ic.
URLs:
main Name Se
L
e icon
mote hosts.
nd MAC addr
or all three loc
erver (DNS) t
resses of the cations in the
Pa
translates the
three location space provid
age 15 of 20
e URL to
ns that ded
Trang 16R
A
S
© 2013 Cisco and
b What
c How d
Reflection
Why does
remote ho
Appendix A
If the mem
appendix
the new IC
Step 1: Cre
a From
b From
d/or its affiliates
is significant
does this info
s Wireshark s
osts?
A: Allowing
mbers of your
describes ho
CMP rule afte
eate a new
the Control P
the System a
All rights reserve
about this inf
rmation differ
how the actu
g ICMP Tra
r team are una
ow to create a
er you have co
inbound ru
Panel, click th
and Security w
ed This docume
formation?
r from the loca
al MAC addre
affic Throu
able to ping y rule in the fir ompleted the
le allowing
e System an
window, click
ent is Cisco Publi
al ping inform
ess of the loc
ugh a Firew
your PC, the f rewall to allow lab
ICMP traffi
nd Security o
Windows Fi
ic.
mation you rec
cal hosts, but
wall
firewall may b
w ping reques
c through t
option
irewall
ceived in Part
not the actua
be blocking th sts It also des
the firewall.
Pa
t 2?
al MAC addres
hose requests scribes how t
age 16 of 20
ss for the
s This
o disable
Trang 17© 2013 Cisco and
c In the
d On th
New R
d/or its affiliates
e left pane of t
e Advanced S
Rule… on the
All rights reserve
the Windows
Security wind
e right sideba
ed This docume
Firewall wind
ow, choose t
ar
ent is Cisco Publi
dow, click Adv
he Inbound R
ic.
vanced setti
Rules option
ngs
on the left sid
Pa
debar and the
age 17 of 20
en click
Trang 18© 2013 Cisco and
e This l
and c
f In the
ICMP
d/or its affiliates
aunches the
click Next
e left pane, cli
Pv4, and then
All rights reserve
New Inbound
ck the Protoc click Next
ed This docume
d Rule wizard
col and Ports
ent is Cisco Publi
On the Rule
s option and u
ic.
e Type screen
using the Pro
n, click the Cu
otocol type dro
Pa
ustom radio b
op-down men
age 18 of 20
button
nu, select