Question: Capturing ARP and ICMP Packets Time Required: 10 minutes Objective: Use Wireshark to capture packets created by the tracert program. Required Tools and Equipment: Net-XX with Wireshark installed Description: In this project, you use Wireshark to capture ARP and ICMP packets generated by the tracert program.
1. If necessary, log on to your computer as NetAdmin. Right-click Start and click Command Prompt (Admin). In the UAC message box, click Yes.
2. Type arp -d and press Enter to clear your ARP cache.
3. Start Wireshark and click Capture Options. In the Capture Filter text box, type arp or icmp, and then click Start.
4. At the command prompt, type tracert books.tomsho.com and press Enter. When tracert is finished, click the Stop the running live capture toolbar icon in Wireshark to stop the capture. Scroll to the first packet summary line, if necessary.
5. Find the ARP packets your computer has generated by looking in the Info column for "Who has A.B.C.D, Tell 192.168.100.XX" (replacing A.B.C.D with the address of your default gateway and XX with your student number). Click this packet summary line.
6. Notice that the Dst (for destination) address is ff:ff:ff:ff:ff:ff, indicating a broadcast. In the middle pane, click to expand the Ethernet II line. Notice that the Type field is ARP (0x806), which tells the Network access layer which Internetwork-layer protocol should receive the packet. Click again to collapse this line.
7. Click to expand the Address Resolution Protocol (request) line. Examine the information in the ARP header. The ARP message has fields to indicate what technology is used in the Network access layer (Ethernet) and the protocol type that needs the MAC address (IP, in this case). Click again to collapse this line.
8. Next, in the top pane, click the ARP reply message immediately following the ARP request. The Info column should be similar to "A.B.C.D is at 0A:1B:2C:3D:4E:5F." The MAC address in the ARP reply is the MAC address of your default gateway. Explore the Network access and Internetwork headers for this frame. also find an ARP request and ARP reply for your DNS server if it's in the same network as your computer.)
9. In the top pane, click the first ICMP Echo (ping) request message from your computer to the destination computer at books.tomsho.com. The IP address should be 67.210.126.125, but IP addresses can change, so it might be different.
10. In the middle pane, click to expand the Internet Protocol line. Notice that the value in the "Time to live" line is 1.
11. In the top pane, click the ICMP Time-to-live exceeded message that follows the ping request. This message was generated by the first router en route to books.tomsho.com. Notice that the source address is the address of your default gateway.
12. Find the next ICMP Echo (ping) request message and view the TTL value. Tracert sends three Echo (ping) request messages for each TTL value, so the first three messages have a TTL value of 1. Find the fourth ICMP Echo (ping) request message and view the TTL value, which should be 2. The "Time-to-live exceeded" message following it is from the next router down the line. Tracert follows this pattern until reaching the destination device (books.tomsho.com).
13. Exit Wireshark, but leave the command prompt window open if you're continuing to the next project.