Lab – Use Wireshark to Examine Ethernet Frames (Answers Version)

Answers Note: Red font shade or gray highlights indicate text that shows up in the Answers copy just.

You are watching: Why does the pc send out a broadcast arp prior to sending the first ping request



Step 4: Examine the Ethernet II header contents of an ARP repursuit.

The adhering to table takes the first framework in the Wireshark capture and also displays the information in the Ethernet II header fields.





Not presented in capture

This area contains synchronizing bits, processed by the NIC hardware.

Destination Address




Source Address


Broadcast (ff:ff:ff:ff:ff:ff)




Netgear_99:c5:72 (30:46:9a:99:c5:72)

Layer 2 addresses for the framework. Each resolve is 48 bits long, or 6 octets, expressed as 12 hexadecimal digits, 0-9,A-F.A common format is 12:34:56:78:9A:BC.

The initially 6 hex numbers suggest the manufacturer of the netoccupational interconfront card (NIC), the last six hex numbers are the serial variety of the NIC.

The destination deal with may be a broadcast, which includes all ones, or a uniactors. The resource address is constantly uniactors.

Frame Type


For Ethernet II frames, this area includes a hexadecimal value that is used to indicate the kind of upper–layer protocol in the information field. Tbelow are plenty of upper–layer protocols sustained by Ethernet II. Two common frame kinds are these:

Value Description

0x0800 IPv4 Protocol

0x0806 Address Resolution Protocol (ARP)



Contains the encapsulated upper–level protocol. The information field is between 46 – 1,500 bytes.


Not displayed in capture

Frame Check Sequence, used by the NIC to determine errors during transmission. The value is computed by the sfinishing gadget, encompassing frame addresses, form, and also information field. It is confirmed by the receiver.

What is significant around the contents of the destination address field?

All hosts on the LAN will get this broadactors framework. The organize with the IP resolve of (default gateway) will certainly sfinish a unicast reply to the source (COMPUTER host). This reply includes the MAC address of the NIC of the default gatemethod.

Why does the COMPUTER send out a broadcast ARP prior to sfinishing the initially ping request?

The COMPUTER cannot sfinish a ping research to a organize until it determines the location MAC resolve, so that it can develop the framework header for that ping research. The ARP broadactors is used to repursuit the MAC address of the host through the IP deal with consisted of in the ARP.

What is the MAC resolve of the source in the first frame?

It varies; in this situation, it is f0:1f:af:50:fd:c8.

What is the Vendor ID (OUI) of the Source NIC in the ARP reply?

It varies, in this situation, it is Netgear.

What percentage of the MAC deal with is the OUI?

The first 3 octets of the MAC resolve show the OUI.

What is the NIC serial variety of the source?

It might vary, it is 99:c5:72 in this case.

Part 2: Use Wireshark to Capture and Analyze Ethernet Frames

In Part 2, you will certainly use Wireshark to capture local and also remote Ethernet frames. You will certainly then examine the information that is had in the framework header areas.

Tip 1: Determine the IP address of the default gateway on your COMPUTER.

Open a Windows command also prompt.

Open a command prompt window and issue the ipconfig command.

What is the IP address of the PC default gateway?

Answers will certainly vary.

Cshed a Windows command prompt.

Tip 2: Start recording website traffic on your PC NIC.

Open Wireshark to start information capture.Observe the website traffic that appears in the packet list home window.

Step 3: Filter Wireshark to screen just ICMP web traffic.

You have the right to use the filter in Wireshark to block visibility of unwanted traffic. The filter does not block the capture of undesirable data; it just filters what you want to screen on the screen. For now, only ICMP web traffic is to be shown.

In the Wireshark Filter box, form icmp. The box should revolve green if you typed the filter effectively. If package is green, click Apply (the right arrow) to apply the filter.

Step 4: From the command prompt home window, ping the default gatemethod of your PC.

Open a Windows command prompt.

From the command home window, ping the default gateway utilizing the IP attend to that you tape-recorded in Tip 1.

Cshed Windows command also prompt.

Step 5: Speak catching traffic on the NIC.

Click the Stop Capturing Packets icon to soptimal capturing traffic.

Tip 6: Examine the first Echo (ping) request in Wireshark.

The Wireshark primary window is split right into 3 sections: the packet list pane (top), the Packet Details pane (middle), and the Packet Bytes pane (bottom). If you schosen the correct interface for packet capturing formerly, Wireshark should screen the ICMP information in the packet list pane of Wireshark.

In the packet list pane (peak section), click the initially structure noted. You have to view Echo (ping) repursuit under the Info heading. The line have to currently be highlighted.Examine the first line in the packet details pane (middle section). This line display screens the length of the framework.The second line in the packet details pane mirrors that it is an Ethernet II structure. The source and also location MAC addresses are likewise presented.Questions:

What is the MAC address of the PC NIC?

Your answers will certainly differ.

What is the default gateway’s MAC address?

Your answers will certainly vary.

You have the right to click the better than (>) sign at the beginning of the second line to obtain even more indevelopment about the Ethernet II frame.Question:

What kind of structure is displayed?

0x0800 or an IPv4 framework type.

The last two lines shown in the middle area administer indevelopment around the information area of the structure. Notice that the data includes the resource and location IPv4 address information.Questions:

What is the source IP address?

Your answers will certainly differ.

What is the location IP address?

Your answers will certainly differ.

You can click any line in the middle area to highlight that component of the framework (hex and also ASCII) in the Packet Bytes pane (bottom section). Click the Web Control Post Protocol line in the middle area and also research what is highlighted in the Packet Bytes pane.Question:

What perform the last two highlighted octets spell?


Click the following frame in the height section and also examine an Echo reply frame. Notice that the source and also location MAC addresses have actually reversed, bereason this framework was sent out from the default gatemeans router as a reply to the first ping.Question:

What gadget and also MAC address is presented as the destination address?

Your answers will differ.

Tip 7: Record packets for a remote hold.

Click the Start Catch symbol to start a brand-new Wireshark capture. You will get a popup window asking if you would certainly choose to save the previous captured packets to a file prior to starting a brand-new capture. Click Continue without Saving.

Open a Windows command also prompt.

In a command also prompt window, ping

Cshed a Windows command prompt.

Speak catching packets.Examine the new data in the packet list pane of Wireshark.Questions:

In the initially echo (ping) repursuit framework, what are the source and also destination MAC addresses?



This must be the MAC resolve of the COMPUTER.


This need to be the MAC attend to of the Default Gatemeans.

What are the resource and location IP addresses included in the data area of the frame?


This is still the IP deal with of the PC.


This is the address of the server at

Compare these addresses to the addresses you obtained in Tip 6. The just address that adjusted is the location IP resolve. Why has the location IP deal with readjusted, while the destination MAC deal with continued to be the same?

Layer 2 frames never leave the LAN. When a ping is issued to a remote hold, the resource will certainly usage the default gatemeans MAC resolve for the frame location. The default gatemethod receives the packet, strips the Layer 2 framework indevelopment from the packet and also then creates a new framework header with the MAC attend to of the next hop. This procedure proceeds from router to router till the packet reaches its destination IP deal with.

See more: Why Does Santa Have A Big Sack ? (Christmas/Holiday Joke Thread)

Reflection Question

Wireshark does not screen the preamble area of a frame header. What does the preamble contain?

The preamble field includes seven octets of alternating 1010 sequences, and one octet that signals the beginning of the structure, 10101011.