Lab – Using Wireshark to Examine Ethernet Frames Answers

Lab – Using Wireshark to Examine Ethernet Frames (Answers Version – Optional Lab)

Answers Note: Red font color or gray highlights show text that shows up in the instructor copy only. Optional activities are designed to boost expertise or to provide added practice or both.

You are watching: Why has the destination ip address changed, while the destination mac address remained the same?




Part 1: Examine the Header Fields in an Ethernet II Frame

Part 2: Use Wireshark to Record and also Analyze Ethernet Frames

Background / Scenario

When upper layer protocols interact through each other, information flows dvery own the Open Solution Interlink (OSI) layers and is encapsulated into a Layer 2 frame. The frame composition is dependent on the media access form. For example, if the top layer protocols are TCP and IP and the media accessibility is Ethernet, then the Layer 2 framework encapsulation will certainly be Ethernet II. This is typical for a LAN setting.

When discovering about Layer 2 ideas, it is valuable to analyze framework header indevelopment. In the first part of this lab, you will certainly evaluation the fields had in an Ethernet II frame. In Part 2, you will certainly use Wireshark to capture and also analyze Ethernet II frame header fields for regional and also remote web traffic.

Answers Note: This lab assumes that the student is utilizing a PC with internet access. It also assumes that Wireshark has actually been pre-set up on the COMPUTER. The screenshots in this lab were taken from Wireshark v2.4.3 for Windows 10 (64bit).

Required Resources

1 COMPUTER (Windows 7, 8, or 10 through internet access via Wireshark installed)

Part 1: Examine the Header Fields in an Ethernet II Frame

In Part 1, you will study the header fields and also content in an Ethernet II structure. A Wireshark capture will be offered to study the contents in those fields.

Tip 1: Rewatch the Ethernet II header field descriptions and lengths.
8 Bytes6 Bytes6 Bytes2 Bytes46 – 1500 Bytes4 Bytes
Step 2: Examine the network-related configuration of the COMPUTER.

This COMPUTER host IP resolve is and the default gatemethod has actually an IP address of


Step 3: Examine Ethernet frames in a Wireshark capture.

The Wireshark capture below reflects the packets generated by a ping being issued from a COMPUTER host to its default gatemethod. A filter has been used to Wireshark to view the ARP and ICMP protocols only. The session starts through an ARP query for the MAC attend to of the gatemethod router, followed by four ping requests and also replies.


Step 4: Examine the Ethernet II header contents of an ARP repursuit.

The adhering to table takes the initially framework in the Wireshark capture and also screens the information in the Ethernet II header areas.

PreambleNot presented in captureThis area includes synchronizing bits, processed by the NIC hardware.
Destination AddressBroadactors (ff:ff:ff:ff:ff:ff)Layer 2 addresses for the framework. Each address is 48 bits lengthy, or 6 octets, expressed as 12 hexadecimal digits, 0-9,A-F.A common format is 12:34:56:78:9A:BC.The first 6 hex numbers show the manufacturer of the netoccupational interchallenge card (NIC), the last 6 hex numbers are the serial variety of the NIC.The location deal with might be a broadcast, which consists of all ones, or a unicast. The resource address is constantly unicast.
Source AddressBelkinIn_9f:6b:8c (14:91:82:9f:6b:8c)
Frame Type0x0806

For Ethernet II frames, this field has a hexadecimal worth that is offered to suggest the form of upper-layer protocol in the information field. Tbelow are numerous upper-layer protocols supported by Ethernet II. Two widespread frame forms are these:

Value Description

0x0800 IPv4 Protocol

0x0806 Address Resolution Protocol (ARP)

DataARPContains the encapsulated upper-level protocol. The data area is in between 46 – 1,500 bytes.
FCSNot presented in captureFrame Check Sequence, supplied by the NIC to determine errors throughout transmission. The value is computed by the sfinishing machine, encompassing framework addresses, form, and also information field. It is showed by the receiver.

What is substantial about the contents of the destination address field?


All hosts on the LAN will receive this broadactors framework. The hold via the IP attend to of (default gateway) will send a unicast reply to the resource (COMPUTER host). This reply consists of the MAC address of the NIC of the default gatemethod.

Why does the PC sfinish out a broadactors ARP before sending the initially ping request?


Before the PC have the right to send a ping request to a hold, it needs to recognize the location MAC attend to before it deserve to build the frame header for that ping research. The ARP broadcast is supplied to research the MAC deal with of the host via the IP attend to had in the ARP.

What is the MAC deal with of the resource in the initially frame? _______________________ It varies; in this situation, it is 14:91:82:9f:6b:8c

What is the Vendor ID (OUI) of the Source NIC? __________________________ It varies, in this case, it is BelkinIn (Belkin International Inc.)

What percentage of the MAC resolve is the OUI?


The first 3 octets of the MAC attend to indicate the OUI.

What is the NIC serial variety of the source? _________________________________ It might differ, it is 9f:6b:8c in this case

Part 2: Use Wireshark to Record and also Analyze Ethernet Frames

In Part 2, you will certainly use Wireshark to capture regional and remote Ethernet frames. You will certainly then research the indevelopment that is consisted of in the framework header fields.

Tip 1: Determine the IP deal with of the default gateway on your COMPUTER.

Open a command also prompt home window and concern the ipconfig command also.

What is the IP address of the PC default gateway? ________________________ Answers will vary

Tip 2: Start recording website traffic on your PC NIC.Close Wireshark. No should save the recorded information.
Open Wireshark, start data capture.
Observe the web traffic that shows up in the packet list window.
Tip 3: Filter Wireshark to display screen only ICMP traffic.

You have the right to use the filter in Wireshark to block visibility of unwanted web traffic. The filter does not block the capture of undesirable data; it just filters what to display on the screen. For now, just ICMP web traffic is to be displayed.

In the Wireshark Filter box, kind icmp. The box have to rotate green if you typed the filter correctly. If the box is green, click Apply (the appropriate arrow) to use the filter.


Step 4: From the command also prompt home window, ping the default gatemethod of your COMPUTER.

From the command home window, ping the default gatemeans making use of the IP deal with that you videotaped in Step 1.

Tip 5: Speak recording web traffic on the NIC.

Click the Sheight Capture icon to sheight capturing website traffic.


Tip 6: Examine the initially Echo (ping) request in Wireshark.

The Wireshark main window is split right into three sections: the packet list pane (top), the Packet Details pane (middle), and also the Packet Bytes pane (bottom). If you schosen the correct interchallenge for packet recording in Tip 3, Wireshark need to display screen the ICMP indevelopment in the packet list pane of Wireshark, equivalent to the complying with instance.


In the packet list pane (height section), click the initially frame noted. You must watch Echo (ping) request under the Info heading. This must highlight the line blue.Examine the initially line in the packet details pane (middle section). This line screens the size of the frame; 74 bytes in this instance.The second line in the packet details pane shows that it is an Ethernet II framework. The source and also destination MAC addresses are likewise displayed.What is the MAC attend to of the PC NIC? ________________________ 00:26:b9:dd:00:91 in exampleWhat is the default gateway’s MAC address? ______________________ 14:91:82:9f:6b:8c in exampleYou deserve to click the plus (+) authorize at the start of the second line to attain even more information about the Ethernet II frame. Notice that the plus sign changes to a minus (-) sign.What kind of structure is displayed? ________________________________ 0x0800 or an IPv4 structure form.The last two lines displayed in the middle area carry out indevelopment around the data area of the framework. Notice that the data has the source and also destination IPv4 attend to information.What is the source IP address? _________________________________ in the exampleWhat is the location IP address? ______________________________ in the exampleYou deserve to click any line in the middle area to highlight that part of the structure (hex and ASCII) in the Packet Bytes pane (bottom section). Click the Internet Control Blog post Protocol line in the middle area and also study what is highlighted in the Packet Bytes pane.
What do the last 2 highlighted octets spell? ______ hiClick the following frame in the top section and examine an Echo reply structure. Notice that the source and also destination MAC addresses have reversed, because this structure was sent out from the default gateway router as a reply to the first ping.What gadget and MAC address is displayed as the location address?___________________________________________ The host COMPUTER, 00:26:b9:dd:00:91 in instance.Step 7: Rebegin packet capture in Wireshark.

Click the Start Capture icon to begin a brand-new Wireshark capture. You will obtain a popup home window asking if you would certainly favor to conserve the previous captured packets to a record prior to starting a brand-new capture. Click Continue without Saving.


Tip 8: In the command also prompt window, ping www.cisco.com.Step 9: Stop capturing packets.Step 10: Examine the new information in the packet list pane of Wireshark.

In the first echo (ping) request frame, what are the source and location MAC addresses?

Source: _________________________________ This have to be the MAC address of the COMPUTER.

Destination: ______________________________ This should be the MAC attend to of the Default Gatemeans.

What are the resource and location IP addresses contained in the data field of the frame?

Source: _________________________________ This is still the IP resolve of the COMPUTER.

Destination: ______________________________ This is the deal with of the server at www.cisco.com, in the example.

Compare these addresses to the addresses you got in Tip 6. The just resolve that changed is the location IP address. Why has actually the location IP resolve changed, while the destination MAC address continued to be the same?


Layer 2 frames never before leave the LAN. When a ping is issued to a remote hold, the resource will certainly usage the default gatemethod MAC address for the frame location. The default gatemethod receives the packet, strips the Layer 2 structure information from the packet and also then creates a brand-new frame header through the MAC deal with of the next hop. This process continues from rexternal to rexternal till the packet reaches its location IP deal with.

See more: Why Does Water Have A Higher Boiling Point Than Ethanol (Video)


Wireshark does not screen the preamble field of a framework header. What does the preamble contain?


The preamble field contains salso octets of alternating 1010 sequences, and one octet that signals the beginning of the structure, 10101011.