Lab – use Wireshark to examine Ethernet Frames (Answers Version)

Answers Note: Red font shade or gray highlights indicate text that appears in the answers copy only.

You are watching: Wireshark does not display the preamble field of a frame header. what does the preamble contain?



Step 4: research the Ethernet II header contents of one ARP request.

The complying with table bring away the first frame in the Wireshark capture and displays the data in the Ethernet II header fields.





Not shown in capture

This field contains synchronizing bits, handle by the NIC hardware.

Destination Address




Source Address


Broadcast (ff:ff:ff:ff:ff:ff)




Netgear_99:c5:72 (30:46:9a:99:c5:72)

Layer 2 addresses because that the frame. Each address is 48 bits long, or 6 octets, expressed together 12 hexadecimal digits, 0-9,A-F.A usual format is 12:34:56:78:9A:BC.

The first six hex numbers suggest the manufacturer the the network user interface card (NIC), the last six hex numbers room the serial number of the NIC.

The destination deal with may it is in a broadcast, which includes all ones, or a unicast. The source address is always unicast.

Frame Type


For Ethernet II frames, this field includes a hexadecimal worth that is provided to indicate the kind of upper–layer protocol in the data field. Over there are many upper–layer protocols sustained by Ethernet II. Two typical frame species are these:

Value Description

0x0800 IPv4 Protocol

0x0806 address Resolution Protocol (ARP)



Contains the encapsulated upper–level protocol. The data field is in between 46 – 1,500 bytes.


Not presented in capture

Frame examine Sequence, offered by the NIC to determine errors throughout transmission. The worth is computed by the sending out device, encompassing framework addresses, type, and data field. It is verified by the receiver.

What is far-reaching about the components of the destination attend to field?

All hosts on the LAN will get this broadcast frame. The hold with the IP attend to of (default gateway) will send a unicast reply to the resource (PC host). This reply has the MAC resolve of the NIC the the default gateway.

Why go the pc send the end a transfer ARP before sending the an initial ping request?

The pc cannot send a ping inquiry to a host until it determines the destination MAC address, so the it can develop the frame header for the ping request. The ARP broadcast is provided to inquiry the MAC address of the host with the IP attend to contained in the ARP.

What is the MAC attend to of the source in the first frame?

It varies; in this case, it is f0:1f:af:50:fd:c8.

What is the vendor ID (OUI) that the source NIC in the ARP reply?

It varies, in this case, it is Netgear.

What section of the MAC resolve is the OUI?

The an initial 3 octets of the MAC attend to indicate the OUI.

What is the NIC serial variety of the source?

It might vary, it is 99:c5:72 in this case.

Part 2: use Wireshark come Capture and Analyze Ethernet Frames

In component 2, friend will usage Wireshark to capture local and also remote Ethernet frames. You will certainly then examine the details that is consisted of in the frame header fields.

Step 1: identify the IP attend to of the default gateway on your PC.

Open a windows command prompt.

Open a command prompt home window and issue the ipconfig command.

What is the IP resolve of the computer default gateway?

Answers will certainly vary.

Close a windows command prompt.

Step 2: Start capturing traffic on your pc NIC.

Open Wireshark to start data capture.Observe the traffic that shows up in the packet perform window.

Step 3: Filter Wireshark to display only ICMP traffic.

You can use the filter in Wireshark come block visibility of undesirable traffic. The filter does no block the record of undesirable data; it just filters what you want to display screen on the screen. For now, just ICMP traffic is to it is in displayed.

In the Wireshark Filter box, kind icmp. The box have to turn environment-friendly if friend typed the filter correctly. If package is green, click apply (the right arrow) to apply the filter.

Step 4: indigenous the command note window, ping the default gateway of your PC.

Open a home windows command prompt.

From the command window, ping the default gateway utilizing the IP attend to that you recorded in action 1.

Close windows command prompt.

Step 5: Stop catching traffic top top the NIC.

Click the Stop capturing Packets symbol to stop recording traffic.

Step 6: examine the first Echo (ping) request in Wireshark.

The Wireshark main window is split into three sections: the packet list pane (top), the Packet Details pane (middle), and the Packet Bytes pane (bottom). If girlfriend selected the correct user interface for packet recording previously, Wireshark should display screen the ICMP info in the packet list pane of Wireshark.

In the packet list pane (top section), click the first frame listed. You need to see Echo (ping) inquiry under the details heading. The line must now it is in highlighted.Examine the first line in the packet details pane (middle section). This line screens the size of the frame.The second line in the packet details pane mirrors that that is an Ethernet II frame. The source and destination MAC addresses are likewise displayed.Questions:

What is the MAC attend to of the computer NIC?

Your answers will vary.

What is the default gateway’s MAC address?

Your answers will certainly vary.

You can click the greater than (>) sign at the start of the second line come obtain an ext information around the Ethernet II frame.Question:

What form of structure is displayed?

0x0800 or an IPv4 framework type.

The last two lines displayed in the middle section administer information around the data ar of the frame. Notification that the data has the resource and location IPv4 resolve information.Questions:

What is the source IP address?

Your answers will vary.

What is the location IP address?

Your answers will vary.

You can click any kind of line in the middle section to to mark that component of the structure (hex and also ASCII) in the Packet Bytes pane (bottom section). Click the Internet control Message Protocol line in the middle section and examine what is highlighted in the Packet Bytes pane.Question:

What execute the last 2 highlighted octets spell?


Click the next framework in the top section and also examine one Echo reply frame. An alert that the source and location MAC addresses have actually reversed, due to the fact that this framework was sent out from the default gateway router as a reply to the an initial ping.Question:

What device and MAC resolve is shown as the destination address?

Your answers will certainly vary.

Step 7: capture packets for a far host.

Click the Start record icon to start a brand-new Wireshark capture. Friend will get a popup home window asking if girlfriend would favor to save the previous recorded packets to a document before starting a new capture. Click continue without Saving.

Open a windows command prompt.

In a command prompt window, ping

Close a windows command prompt.

Stop capturing packets.Examine the new data in the packet perform pane that Wireshark.Questions:

In the first echo (ping) request frame, what space the source and location MAC addresses?



This should be the MAC attend to of the PC.


This should be the MAC address of the Default Gateway.

What room the resource and destination IP addresses consisted of in the data field of the frame?


This is quiet the IP resolve of the PC.


This is the attend to of the server at

Compare these addresses come the addresses you received in step 6. The only resolve that readjusted is the destination IP address. Why has actually the destination IP deal with changed, when the location MAC address remained the same?

Layer 2 frames never ever leave the LAN. As soon as a ping is issued come a remote host, the resource will use the default gateway MAC attend to for the structure destination. The default gateway receives the packet, strips the great 2 framework information from the packet and also then create a brand-new frame header with the MAC address of the next hop. This process continues from router to router till the packet will its location IP address.

See more: It'S Daddy And Babygirl Stories, Verify Your Identity

Reflection Question

Wireshark does not display screen the preamble ar of a frame header. What does the preamble contain?

The preamble field has seven octets of alternative 1010 sequences, and also one octet that signals the start of the frame, 10101011.