rap – using Wireshark to research Ethernet Frames Answers

Lab – making use of Wireshark to examine Ethernet Frames (Answers version – Optional Lab)

Answers Note: Red font color or gray highlights suggest text that shows up in the instructor copy only. Optional activities are design to enhance understanding or to provide extr practice or both.

You are watching: What is significant about the contents of the destination address field




Part 1: study the Header fields in an Ethernet II Frame

Part 2: usage Wireshark to Capture and also Analyze Ethernet Frames

Background / Scenario

When top layer protocols interact with every other, data flows down the open up Systems Interconnection (OSI) layers and also is encapsulated into a layer 2 frame. The structure composition is dependent on the media access type. For example, if the upper layer protocols room TCP and also IP and the media accessibility is Ethernet, climate the class 2 frame encapsulation will certainly be Ethernet II. This is common for a LAN environment.

When learning about Layer 2 concepts, it is advantageous to analyze framework header information. In the very first part the this lab, you will evaluation the fields had in one Ethernet II frame. In part 2, you will usage Wireshark come capture and analyze Ethernet II frame header fields for local and remote traffic.

Answers Note: This rap assumes that the college student is using a computer with net access. It also assumes the Wireshark has been pre-installed ~ above the PC. The screenshot in this lab were taken native Wireshark v2.4.3 for windows 10 (64bit).

Required Resources

1 computer (Windows 7, 8, or 10 with internet accessibility with Wireshark installed)

Part 1: study the Header fields in one Ethernet II Frame

In part 1, girlfriend will examine the header fields and also content in an Ethernet II frame. A Wireshark record will be provided to study the components in those fields.

Step 1: testimonial the Ethernet II header field descriptions and lengths.
8 Bytes6 Bytes6 Bytes2 Bytes46 – 1500 Bytes4 Bytes
Step 2: study the network construction of the PC.

This PC organize IP attend to is and also the default gateway has an IP resolve of


Step 3: examine Ethernet frames in a Wireshark capture.

The Wireshark capture listed below shows the packets created by a ping being issued from a PC hold to the default gateway. A filter has actually been used to Wireshark to check out the ARP and also ICMP protocols only. The session starts with an ARP query because that the MAC attend to of the gateway router, adhered to by 4 ping requests and replies.


Step 4: study the Ethernet II header contents of an ARP request.

The adhering to table takes the an initial frame in the Wireshark capture and also displays the data in the Ethernet II header fields.

PreambleNot displayed in captureThis field contains synchronizing bits, processed by the NIC hardware.
Destination AddressBroadcast (ff:ff:ff:ff:ff:ff)Layer 2 addresses for the frame. Each deal with is 48 bits long, or 6 octets, expressed together 12 hexadecimal digits, 0-9,A-F.A typical format is 12:34:56:78:9A:BC.The first six hex numbers indicate the manufacturer of the network interface card (NIC), the last six hex numbers space the serial number of the NIC.The destination address may it is in a broadcast, which consists of all ones, or a unicast. The resource address is always unicast.
Source AddressBelkinIn_9f:6b:8c (14:91:82:9f:6b:8c)
Frame Type0x0806

For Ethernet II frames, this field includes a hexadecimal value that is offered to indicate the kind of upper-layer protocol in the data field. Over there are countless upper-layer protocols sustained by Ethernet II. Two usual frame types are these:

Value Description

0x0800 IPv4 Protocol

0x0806 deal with Resolution Protocol (ARP)

DataARPContains the encapsulated upper-level protocol. The data field is in between 46 – 1,500 bytes.
FCSNot presented in captureFrame inspect Sequence, provided by the NIC to identify errors throughout transmission. The value is computed by the sending out machine, encompassing structure addresses, type, and data field. It is confirmed by the receiver.

What is significant about the components of the destination attend to field?


All hosts on the LAN will obtain this broadcast frame. The hold with the IP address of (default gateway) will certainly send a unicast reply to the resource (PC host). This reply consists of the MAC address of the NIC that the default gateway.

Why does the pc send out a transfer ARP prior to sending the first ping request?


Before the PC can send a ping request to a host, it requirements to identify the destination MAC resolve before the can construct the structure header for the ping request. The ARP broadcast is offered to inquiry the MAC attend to of the host with the IP deal with contained in the ARP.

What is the MAC resolve of the resource in the an initial frame? _______________________ it varies; in this case, it is 14:91:82:9f:6b:8c

What is the merchant ID (OUI) the the source NIC? __________________________ that varies, in this case, that is BelkinIn (Belkin worldwide Inc.)

What section of the MAC deal with is the OUI?


The very first 3 octets of the MAC attend to indicate the OUI.

What is the NIC serial variety of the source? _________________________________ It might vary, it is 9f:6b:8c in this case

Part 2: usage Wireshark to Capture and also Analyze Ethernet Frames

In component 2, girlfriend will usage Wireshark to record local and remote Ethernet frames. You will certainly then research the details that is had in the frame header fields.

Step 1: determine the IP attend to of the default gateway on her PC.

Open a command prompt home window and issue the ipconfig command.

What is the IP address of the pc default gateway? ________________________ Answers will vary

Step 2: Start recording traffic ~ above your pc NIC.Close Wireshark. No need to save the caught data.
Open Wireshark, start data capture.
Observe the traffic that shows up in the packet perform window.
Step 3: Filter Wireshark to display screen only ICMP traffic.

You have the right to use the filter in Wireshark come block visibility of undesirable traffic. The filter does no block the record of undesirable data; it only filters what to screen on the screen. Because that now, just ICMP website traffic is to it is in displayed.

In the Wireshark Filter box, kind icmp. The box should turn green if you typed the filter correctly. If the box is green, click Apply (the right arrow) to use the filter.


Step 4: from the command notice window, ping the default gateway of her PC.

From the command window, ping the default gateway using the IP attend to that you tape-recorded in step 1.

Step 5: Stop recording traffic on the NIC.

Click the Stop Capture icon to stop capturing traffic.


Step 6: examine the first Echo (ping) inquiry in Wireshark.

The Wireshark main home window is separated into 3 sections: the packet list pane (top), the Packet Details pane (middle), and the Packet Bytes pane (bottom). If you selected the correct interface for packet catching in step 3, Wireshark should screen the ICMP info in the packet perform pane that Wireshark, similar to the complying with example.


In the packet list pane (top section), click the an initial frame listed. You have to see Echo (ping) request under the Info heading. This have to highlight the heat blue.Examine the first line in the packet details pane (middle section). This line display screens the size of the frame; 74 bytes in this example.The 2nd line in the packet details pane mirrors that it is an Ethernet II frame. The resource and destination MAC addresses are also displayed.What is the MAC resolve of the computer NIC? ________________________ 00:26:b9:dd:00:91 in exampleWhat is the default gateway’s MAC address? ______________________ 14:91:82:9f:6b:8c in exampleYou deserve to click the plus (+) sign at the beginning of the second line to obtain much more information about the Ethernet II frame. An alert that the add to sign changes to a minus (-) sign.What kind of structure is displayed? ________________________________ 0x0800 or one IPv4 framework type.The last two lines presented in the middle section provide information about the data ar of the frame. Notification that the data contains the resource and destination IPv4 resolve information.What is the resource IP address? _________________________________ in the exampleWhat is the location IP address? ______________________________ in the exampleYou can click any type of line in the middle section to to mark that part of the structure (hex and ASCII) in the Packet Bytes pane (bottom section). Click the Internet regulate Message Protocol line in the center section and also examine what is highlighted in the Packet Bytes pane.
What execute the last 2 highlighted octets spell? ______ hiClick the next framework in the peak section and also examine an Echo reply frame. Notification that the source and location MAC addresses have reversed, because this frame was sent out from the default gateway router together a reply to the an initial ping.What device and MAC address is displayed as the location address?___________________________________________ The organize PC, 00:26:b9:dd:00:91 in example.Step 7: Restart packet capture in Wireshark.

Click the Start Capture icon to start a new Wireshark capture. You will obtain a popup window asking if girlfriend would choose to conserve the previous captured packets come a file before starting a brand-new capture. Click Continue without Saving.


Step 8: In the command prompt window, ping www.cisco.com.Step 9: Stop capturing packets.Step 10: study the new data in the packet perform pane that Wireshark.

In the first echo (ping) inquiry frame, what are the resource and destination MAC addresses?

Source: _________________________________ This have to be the MAC attend to of the PC.

Destination: ______________________________ This should be the MAC attend to of the Default Gateway.

What space the source and location IP addresses contained in the data field of the frame?

Source: _________________________________ This is still the IP address of the PC.

Destination: ______________________________ This is the deal with of the server at www.cisco.com, in the example.

Compare these addresses to the addresses you got in step 6. The only deal with that changed is the location IP address. Why has actually the destination IP resolve changed, when the destination MAC resolve remained the same?


Layer 2 frames never ever leave the LAN. As soon as a ping is issued come a far host, the resource will use the default gateway MAC deal with for the framework destination. The default gateway obtain the packet, strips the class 2 frame information from the packet and then creates a new frame header through the MAC resolve of the following hop. This process continues native router come router till the packet will its destination IP address.

See more: What Is The Identity Of An Element Is Determined By The Number Of An Element?


Wireshark walk not display the preamble ar of a structure header. What walk the preamble contain?


The preamble field contains seven octets of alternating 1010 sequences, and one octet that signals the start of the frame, 10101011.