internet Protocol Analysis/Collection

Learning Guide edit

This learning guide supports the Wikiversity course Internet Protocol Analysis, available at http://en.wikiversity.org/wiki/Internet_Protocol_Analysis.

Internet protocol analysis is an advanced computer networking topic that uses a packet analyzer to capture, view, and understand Internet protocols. This course comprises 15 lessons that use Wireshark to study and experiment with Internet protocols. Each lesson includes Wikipedia readings, YouTube videos, and hands-on learning activities.

This is a third-semester, college-level course. Learners should already be familiar with introductory computer concepts and/or introductory computer networking concepts.

1. Introduction
2. Packet Analyzers
3. Link Layer
4. Address Resolution Protocol (ARP)
5. Internet Layer / IPv4
6. Subnetting
7. IPv6
8. Internet Control Message Protocol (ICMP)
9. Multicast
10. Transport Layer
11. Address Assignment
12. Name Resolution
13. Application Layer
14. Routing
15. Network Monitoring

• Carrell, Jeffrey L., Chappell, Laura & Tittel, Ed (2013). Guide to TCP/IP, Fourth Edition. Cengage. ISBN 9781133019862
• Chappell, Laura A. & Tittel, Ed (2007). Guide to TCP/IP, Third Edition. Course Technology. ISBN 9781418837556
• Davies, Joseph (2012). Understanding IPv6, 3rd Edition. Microsoft Press. ISBN 9780735659148
• Fall, Kevin R. & Stevens, W. Richard (2012). TCP/IP Illustrated, Volume 1: The Protocols, Second Edition. Pearson. ISBN 9780321336316

This lesson introduces Internet protocol analysis by looking at background information on the Internet protocol suite, the Request for Comments process and Internet standards, and comparing the Internet protocol suite to the Open Systems Interconnection (OSI) model.

1. Wikipedia: Internet protocol suite
2. Wikipedia: Request for Comments
3. Wikipedia: Internet Standard
4. Wikipedia: OSI model

1. YouTube: Network Layers - OSI, TCP/IP Models - Part 1
2. YouTube: Network Layers - OSI, TCP/IP Models - Part 2
3. YouTube: Network Layers - OSI, TCP/IP Models - Part 3

1. Draw your own personal reference chart comparing the Internet protocol suite four-layer model to the OSI seven-layer model.
2. Review Internet standards regarding private networks and see if your computer is on a private network.
3. Review Wikipedia: April Fools' Day Request for Comments for a humorous look at networking standards.
4. Consider why the OSI seven layer model is sometimes referred to as a theoretical model while the Internet protocol suite might be referred to as an operational model.

• The Internet protocol suite is the set of communications protocols used for the Internet and similar networks. It is a four-layer model containing Link, Internet, Transport, and Application layers.^[1]
• The Internet protocol suite is maintained by the Internet Engineering Task Force (IETF).^[2]
• The Link layer contains communication technologies for a local network.^[3]
• The Internet layer connects local networks, thus establishing internetworking.^[4]
• The Transport layer handles host-to-host communication.^[5]
• The Application layer contains all protocols for specific data communications services on a process-to-process level.^[6]
• A Request for Comments (RFC) is a memorandum published by the Internet Engineering Task Force (IETF) describing methods, behaviors, research, or innovations applicable to the working of the Internet and Internet-connected systems.^[7]
• Requests for Comments are designated with a status of Informational, Experimental, Best Current Practice (BCP), Standards Track, or Historic. Standards-track documents are further divided into Proposed Standard, Draft Standard, and Internet Standard.^[8]
• Internet Standard is a special Request for Comments (RFC) or set of RFCs which is characterized by a high degree of technical maturity and by a generally held belief that the specified protocol or service provides significant benefit to the Internet community.^[9]
• Best Current Practice is a Request for Comments (RFC) that may include official rules, but which does not affect over the wire data and is not on the standards track.^[10]
• The Internet protocol suite protocols are deliberately not as rigidly designed into strict layers as in the OSI model.^[11]
• The Internet Link layer includes the OSI Data Link and Physical layers, as well as parts of OSI's Network layer.^[12]
• The Internet internetworking layer (Internet layer) is a subset of the OSI Network layer.^[13]
• The Internet Transport layer includes the graceful close function of the OSI Session layer as well as the OSI Transport layer.^[14]
• The Internet Application layer includes the OSI Application layer, Presentation layer, and most of the Session layer.^[15]

Advanced Research Projects Agency Network (ARPANET)

The world's first operational packet switching network and the progenitor of what was to become the global Internet.^[16]

Best Current Practice

Mandatory IETF RFCs, including official rules, but which do not affect over the wire data and are not on the standards track.^[17]

best effort delivery

A network service in which the network does not provide any guarantees that data is delivered or that a user is given a guaranteed quality of service level or a certain priority.^[18]

checksum

A fixed-size datum computed from an arbitrary block of digital data for the purpose of detecting accidental errors that may have been introduced during its transmission or storage.^[19]

communications protocol

A system of digital message formats and rules for exchanging those messages in or between computing systems and in telecommunications.^[20]

Defense Advanced Research Projects Agency (DARPA)

An agency of the United States Department of Defense responsible for the development of new technologies for use by the military.^[21]

encapsulation

A method of designing modular communication protocols in which logically separate functions in the network are abstracted from their underlying structures by inclusion or information hiding within higher level objects.^[22]

Ethernet

A family of Link layer computer networking technologies for local area networks (LANs).^[23]

Internet Architecture Board (IAB)

The committee charged with oversight of the technical and engineering development of the Internet by the Internet Society (ISOC).^[24]

Internet Drafts

A series of working documents published by the IETF.^[25]

Internet Engineering Task Force (IETF)

Develops and promotes Internet standards, cooperating closely with the W3C and ISO/IEC standards bodies and dealing in particular with standards of the Internet protocol suite (TCP/IP).^[26]

Internet Protocol (IP)

The principal communications protocol used for relaying datagrams (also known as network packets) across an internetwork using the Internet Protocol Suite responsible for routing packets across network boundaries.^[27]

Internet Society (ISOC)

An international, non-profit organization founded in 1992 to provide leadership in Internet related standards, education, and policy.^[28]

Internet Standard

A normative specification of a technology or methodology applicable to the Internet.^[29]

internetworking

The practice of connecting a computer network with other networks through the use of gateways that provide a common method of routing information packets between the networks.^[30]

medium

A material substance (solid, liquid, gas, or plasma) that can propagate energy waves.^[31]

Open Systems Interconnection (OSI) model

A product of the Open Systems Interconnection effort at the International Organization for Standardization for characterizing and standardizing the functions of a communications system in terms of abstraction layers.^[32]

packet

A formatted unit of data carried by a computer network.^[33]

packet header

Data placed at the beginning of a block of data being stored or transmitted.^[34]

protocol stack

An implementation of a computer networking protocol suite.^[35]

Request For Comments (RFC)

A memorandum published by the Internet Engineering Task Force (IETF) describing methods, behaviors, research, or innovations applicable to the working of the Internet and Internet-connected systems.^[36]

router

A device that forwards data packets between computer networks.^[37]

Transmission Control Protocol (TCP)

A Transport layer protocol that provides reliable, ordered delivery of a stream of octets from a program on one computer to another program on another computer.^[38]

1. The Internet protocol suite is a _____ layer model.

   The Internet protocol suite is a four-layer model.
2. The layers of the Internet protocol suite are _____.

   The layers of the Internet protocol suite are Link, Internet, Transport, and Application.
3. The Internet protocol suite is maintained by _____.

   The Internet protocol suite is maintained by the Internet Engineering Task Force (IETF).
4. The Internet protocol suite layer that contains communication technologies for a local network is the _____ layer.

   The Internet protocol suite layer that contains communication technologies for a local network is the Link layer.
5. The Internet protocol suite layer that connects local networks to establish internetworking is the _____ layer.

   The Internet protocol suite layer that connects local networks to establish internetworking is the Internet layer.
6. The Internet protocol suite layer that handles host-to-host communication is the _____ layer.

   The Internet protocol suite layer that handles host-to-host communication is the transport layer.
7. The Internet protocol suite layer that contains all protocols for specific data communications services on a process-to-process level is the _____ layer.

   The Internet protocol suite layer that contains all protocols for specific data communications services on a process-to-process level is the Application layer.
8. A memorandum published by the Internet Engineering Task Force (IETF) describing methods, behaviors, research, or innovations applicable to the working of the Internet and Internet-connected systems is known as a _____.

   A memorandum published by the Internet Engineering Task Force (IETF) describing methods, behaviors, research, or innovations applicable to the working of the Internet and Internet-connected systems is known as a Request for Comments (RFC).
9. A Request for Comments (RFC) which is characterized by a high degree of technical maturity and by a generally held belief that the specified protocol or service provides significant benefit to the Internet community is known as a/an _____.

   A Request for Comments (RFC) which is characterized by a high degree of technical maturity and by a generally held belief that the specified protocol or service provides significant benefit to the Internet community is known as an Internet Standard.
10. A Request for Comments (RFC) that may include official rules, but which does not affect over the wire data and is not on the standards track is known as a/an _____.

    A Request for Comments (RFC) that may include official rules, but which does not affect over the wire data and is not on the standards track is known as a Best Current Practice.
11. The Internet protocol suite protocols are _____ (more/less) rigidly designed into strict layers when compared to the OSI model.

    The Internet protocol suite protocols are less rigidly designed into strict layers when compared to the OSI model.
12. The Internet protocol suite layer that includes the OSI Data Link and Physical layers, as well as parts of OSI's Network layer is the _____ layer.

    The Internet protocol suite layer that includes the OSI Data Link and Physical layers, as well as parts of OSI's Network layer is the Link layer.
13. The Internet protocol suite layer that is a subset of the OSI Network layer is the _____ layer.

    The Internet protocol suite layer that is a subset of the OSI Network layer is the Internet layer.
14. The Internet protocol suite layer that includes the graceful close function of the OSI Session layer as well as the OSI Transport layer is the _____ layer.

    The Internet protocol suite layer that includes the graceful close function of the OSI Session layer as well as the OSI Transport layer is the Transport layer.
15. The Internet protocol suite layer that includes the OSI Application layer, Presentation layer, and most of the Session layer is the _____ layer.

    The Internet protocol suite layer that includes the OSI Application layer, Presentation layer, and most of the Session layer is the Application layer.

• Lesson Flashcards
• Terms Flashcards
• Quiz

• Computer Networks - TCP/IP Model
• Cisco: The TCP/IP Stack

ipconfig with no options displays the IP address, subnet mask and default gateway for each adapter bound to TCP/IP. This activity will show you how to use the default ipconfig command.

To prepare for this activity:

1. Start Windows.
2. Log in if necessary.

To display the IP address, subnet mask and default gateway for each adapter bound to TCP/IP:

1. Open a command prompt.
2. Type ipconfig (to see all options type ipconfig /all).
3. Press Enter.
4. Observe available adapters and their IP settings.
5. Close the command prompt to complete this activity.

• Wikipedia: ipconfig
• Wikipedia: Internet Protocol

• Microsoft TechNet: Ipconfig

Private networks are networks that use a private Internet Protocol (IP) address space, following the standards described in Request for Comments (RFC) 1918 and 4193. These activities will review private networks, the relevant RFCs, and then show you how to identify whether or not your network is using the private IP address space.

1. Read Wikipedia: Private network.
2. Review RFC 1918 and RFC 4193 and compare the detailed specifications to the Wikipedia summary.
3. Use Ipconfig to view your IP address.
4. If you have an IPv4 address, review the private IPv4 address spaces and see if your IP address is within one of the private address ranges.
5. If you have an IPv6 address, review the private IPv6 address spaces and see if your IP address is a unique local address (fc00::/7), site local address (fec0::/10), link local address (fe80::/10), or public address.

• Wikipedia: Private network
• RFC 1918
• RFC 4193
• Microsoft TechNet: Ipconfig

This lesson concludes the introduction to Internet protocol analysis by looking at packet analyzers in general and the open source packet analyzer Wireshark in particular. Activities include installing Wireshark and using it to capture network traffic.

1. Wikipedia: Packet analyzer
2. Wikipedia: Promiscuous mode
3. Wikipedia: Port mirroring
4. Wikipedia: Wireshark
5. Wikipedia: pcap

1. YouTube: Getting Started with Wireshark
2. YouTube: Intro to using Wireshark - CCNA Network Fundamentals
3. YouTube: Port Mirroring - CompTIA Network+ N10-005: 1.4
4. YouTube: Using Wireshark and Cisco Port Mirroring

1. Install Wireshark.
2. Review Wireshark: User's Guide.
3. Use Wireshark to capture network traffic.
4. Use Wireshark to filter displayed traffic.
5. Use Wireshark to filter captured traffic.
6. Consider situations in which a packet analyzer might be used to troubleshoot network traffic.

• A packet analyzer is a computer program or a piece of computer hardware that can intercept and log traffic passing over a digital network.^[1]
• Packet analyzers can be software or hardware-based.^[2]
• Network interface controllers (NICs) normally drop frames that are not broadcast or multicast, and do not have the NIC as the destination MAC address.^[3]
• Promiscuous mode is a network interface controller (NIC) mode that causes the controller to pass all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is intended to receive.^[4]
• Network interface controllers (NICs) operating in promiscuous mode may or may not be detectable, depending on firewall settings.^[5]
• Port mirroring is used on a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port.^[6]
• Wireshark is a free and open-source packet analyzer used for network troubleshooting, analysis, software and communications protocol development, and education.^[7]
• Wireshark was originally named Ethereal, but was renamed in May 2006 due to trademark issues.^[8]
• Tcpdump is a command line-based packet analyzer available on most Unix-like operating systems.^[9]
• As a security precaution, it is best to separate packet capture activities from packet analysis activities. Packet capture activities must be run with special privileges, but packet analysis does not require special privileges.^[10]
• Packet analyzers such as Wireshark and tcpdump depend on a packet capture library known as libpcap (Unix/Linux) or WinPcap (Windows).^[11]

broadcast

Transmit a message to all recipients simultaneously.^[12]

broadcast domain

A logical division of a computer network in which all nodes can reach each other by broadcast at the data link layer.^[13]

collision domain

A section of a network where data packets can collide with one another when being sent on a shared medium or through repeaters, in particular, when using early versions of Ethernet.^[14]

data stream

A sequence of digitally encoded coherent signals (data packets) used to transmit or receive information.^[15]

encryption

The process of encoding messages (or information) in such a way that eavesdroppers cannot read it, but that authorized parties can.^[16]

Ethereal

The original name of the Wireshark packet analyzer, renamed due to trademark issues.^[17]

hub

A multiport repeater that links devices and works at the physical layer of the OSI model.^[18]

Intrusion Detection System (IDS)

A device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station.^[19]

libpcap

A packet capture library used on Unix-like systems.^[20]

multicast

Transmit a message to a group of destination computers simultaneously with a single transmission from the source.^[21]

Network Interface Controller (NIC)

A computer hardware component that connects a computer to a computer network.^[22]

packet analyzer

A computer program or a piece of computer hardware that can intercept and log traffic passing over a digital network.^[23]

port mirroring

Used on a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port.^[24]

promiscuous mode

A network interface controller (NIC) mode that causes the controller to pass all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is intended to receive.^[25]

reverse engineering

The process of discovering the technological principles of a device, object, or system through analysis of its structure, function, and operation.^[26]

router

A device that forwards data packets between computer networks and works at the network layer of the OSI model.^[27]

sniffer

Another term for packet analyzer.^[28]

switch

A multiport bridge that links network segments or devices and works at the data link layer of the OSI model.^[29]

tcpdump

A command line-based packet analyzer available on most Unix-like operating systems.^[30]

tshark^[31]

Tool to Dump and analyze network traffic from Wireshark

unicast

Transmit a message to a single destination identified by a unique address.^[32]

Virtual LAN (VLAN)

A concept of partitioning a physical network so that distinct broadcast domains are created.^[33]

WinPcap

A packet capture library used on Windows systems.^[34]

Wireshark

A free and open-source packet analyzer used for network troubleshooting, analysis, software and communications protocol development, and education.^[35]

Click on a question to see the answer.

1. A computer program or a piece of computer hardware that can intercept and log traffic passing over a digital network is known as a _____.

   A computer program or a piece of computer hardware that can intercept and log traffic passing over a digital network is known as a packet analyzer.
2. Packet analyzers can be _____ (hardware/software/both) based.

   Packet analyzers can be software or hardware-based.
3. Network interface cards (NICs) normally drop frames that are not _____ or _____, and do not have the NIC as the _____ MAC address..

   Network interface cards (NICs) normally drop frames that are not broadcast or multicast, and do not have the NIC as the destination MAC address.
4. A network interface controller (NIC) mode that causes the controller to pass all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is intended to receive is known as _____ mode.

   A network interface controller (NIC) mode that causes the controller to pass all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is intended to receive is known as promiscuous mode.
5. Network interface controllers (NICs) operating in promiscuous mode may or may not be detectable, depending on _____ settings.

   Network interface controllers (NICs) operating in promiscuous mode may or may not be detectable, depending on firewall settings.
6. The ability for a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port is known as _____.

   The ability for a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port is known as port mirroring.
7. An example of a free and open-source packet analyzer used for network troubleshooting, analysis, software and communications protocol development, and education is _____.

   An example of a free and open-source packet analyzer used for network troubleshooting, analysis, software and communications protocol development, and education is Wireshark.
8. Wireshark was originally named _____, but was renamed in May 2006 due to trademark issues.

   Wireshark was originally named Ethereal, but was renamed in May 2006 due to trademark issues.
9. A command line-based packet analyzer available on most Unix-like operating systems is _____.

   A command line-based packet analyzer available on most Unix-like operating systems is tcpdump.
10. Packet _____ activities must be run with special privileges, but packet _____ activities do not require special privileges.

    Packet capture activities must be run with special privileges, but packet analysis activities do not require special privileges.
11. Packet analyzers such as Wireshark and tcpdump depend on a packet capture library known as _____ or _____.

    Packet analyzers such as Wireshark and tcpdump depend on a packet capture library known as libpcap or WinPcap.

• Lesson Flashcards
• Terms Flashcards
• Quiz

• tcpdump

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to download and install Wireshark.

• Wikipedia: Wireshark
• Wikipedia: X86
• Wikipedia: 32-bit application
• Wikipedia: 64-bit computing

To prepare for this activity:

1. Turn on your PC by pressing the power button (Windows will start automatically).
2. Log in if necessary.

To determine system type:

1. Use msinfo32 (press Windows key, type "run", then type "Msinfo32") to display the system type. The system type will either be X86-based PC or X64-based PC. X86-based PC is a 32-bit system. X64-based PC is a 64-bit system.
2. Close msinfo32.

To download Wireshark:

1. Open a web browser.
2. Navigate to http://www.wireshark.org.
3. Select Download Wireshark.
4. Select the Wireshark Windows Installer matching your system type, either 32-bit or 64-bit as determined in Activity 1. Save the program in the Downloads folder.
5. Close the web browser.

To install Wireshark:

1. Open Windows Explorer.
2. Select the Downloads folder.
3. Locate the version of Wireshark you downloaded in Activity 2. Double-click on the file to open it.
4. If you see a User Account Control dialog box, select Yes to allow the program to make changes to this computer.
5. Select Next > to start the Setup Wizard.
6. Review the license agreement. If you agree, select I Agree to continue.
7. Select Next > to accept the default components.
8. Select the shortcuts you would like to have created. Leave the file extensions selected. Select Next > to continue.
9. Select Next > to accept the default install location.
10. Select Install to begin installation.
11. Select Next > to install WinPcap.
12. Select Next > to start the Setup Wizard.
13. Review the license agreement. If you agree, select I Agree to continue.
14. Select Install to begin installation.
15. Select Finish to complete the installation of WinPcap.
16. Select Next > to continue with the installation of Wireshark.
17. Select Finish to complete the installation of Wireshark.

Note: If you encounter compatibility errors, such as with installing WinPcap on Windows 8, try using Compatibility Mode.

• Wireshark User's Guide: Building and Installing Wireshark
• Wireshark Developer's Guide: Quick Setup for Developers

• Wireshark

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture network traffic.

1. Wireshark: User's Guide

To prepare for this activity:

1. Start Windows.
2. Log in if necessary.
3. Install Wireshark.

To capture network traffic:

1. Start a Wireshark capture.
2. Open a web browser and navigate to a favorite web site.
3. Stop the Wireshark capture.
4. Observe the traffic captured in the top Wireshark packet list pane.
5. Select a packet you want to analyze.
6. Observe the packet details in the middle Wireshark packet details pane.
7. Expand various protocol containers to view detailed protocol information.
8. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

• Wireshark: User's Guide

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and filter network traffic using a display filter.

1. Wireshark: Display Filters

1. YouTube: Wireshark 101: Display Filters and Filter Options, HakTip 122

To prepare for this activity:

1. Start your system Linux or Windows.
2. Log in if necessary.
3. Install Wireshark.

To capture network traffic:

1. Start a Wireshark capture.
2. Use ping 8.8.8.8 to ping an Internet host by IP address.
3. Stop the Wireshark capture.

To use a display filter:

1. Type ip.addr == 8.8.8.8 in the Filter box and press Enter.
2. Observe that the Packet List Pane is now filtered so that only traffic to (destination) or from (source) IP address 8.8.8.8 is displayed.
3. Click Clear on the Filter toolbar to clear the display filter.
4. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

• Wireshark: User's Guide
• Wireshark Wiki
• Admin Magazine: Wireshark

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and filter network traffic using a capture filter.

1. Wireshark: Capture Filters

To prepare for this activity:

1. Start Windows.
2. Log in if necessary.
3. Install Wireshark.

To capture network traffic using a capture filter:

1. Select either the Capture menu and then the Interfaces dialog box or the List the available capture interfaces toolbar button.
2. Select Options.
3. Double-click on the interface you want to use for the capture.
4. In the Capture Filter box type host 8.8.8.8.
5. Select OK to save the changes.
6. Select Start to start a Wireshark capture.
7. Use ping 8.8.8.8 to ping an Internet host by IP address.
8. Use ping 8.8.4.4 to ping an Internet host by IP address.
9. Observe that only traffic to (destination) or from (source) IP address 8.8.8.8 is captured.
10. Stop the Wireshark capture.
11. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

• Wireshark: User's Guide
• Admin Magazine: Wireshark

This lesson introduces the Link layer and looks at a variety of link layer frame types. Activities include identifying MAC addresses and using Wireshark to examine Ethernet network traffic.

1. Wikipedia: Link layer
2. Wikipedia: MAC address
3. Wikipedia: Organizationally Unique Identifier
4. Wikipedia: Ethernet frame
5. Wikipedia: EtherType
6. Wikipedia: Token Ring Frame Format
7. Wikipedia: Point-to-Point Protocol (PPP) Frame
8. Wikipedia: IEEE 802.11 Frames

1. YouTube: MAC Address Formats - CompTIA Network+ N10-005: 1.3
2. YouTube: Basics of ipconfig, ping, tracert, nslookup and netstat

1. Display MAC Addresses Using Getmac.
2. Display MAC Addresses Using Ipconfig.
3. Search for a MAC Address OUI.
4. Compare Ethernet and Token Ring frame formats. Which fields are included in both formats? Which fields are unique to one format or the other?
5. Compare Ethernet and Point-to-Point Protocol frame formats. Which fields are included in both formats? Which fields are unique to one format or the other?
6. Review Wireshark: Ethernet.
7. Use Wireshark to capture and analyze Ethernet traffic.
8. Review Wireshark: WLAN Capture Setup.
9. If your wireless network adapter supports it, use Wireshark to capture and analyze 802.11 traffic. Are you able to capture actual 802.11 traffic, or is it translated to Ethernet traffic before it can be captured and displayed?
10. Link layer protocols have changed significantly since the introduction of the Internet protocol suite, while the core TCP/IP protocols have changed very little. Consider possible explanations for the many changes and performance improvements in link layer protocols over time.
11. Consider situations in which a packet analyzer might be used to troubleshoot link layer traffic.

• The Link layer is the lowest layer in the Internet Protocol Suite. It implements the communication protocol necessary for a host to link to its directly-connected network.^[1]
• TCP/IP's layers are descriptions of operating scopes (application, host-to-host, network, link) and not detailed prescriptions of operating procedures, data semantics, or networking technologies.^[2]
• Layering in TCP/IP is not a principal design criterion and in general is considered to be harmful.^[3]
• The standard (IEEE 802) format for printing MAC-48 addresses in human-friendly form is six groups of two hexadecimal digits, separated by hyphens (-) or colons (:), in transmission order.^[4]
• The IEEE expects the MAC-48 space to be exhausted no sooner than the year 2100.^[5]
• If the least significant bit of the most significant octet of an address is set to 0 (zero), the frame is meant to reach only one receiving NIC.^[6]
• If the least significant bit of the most significant address octet is set to 1, the frame will still be sent only once; however, NICs will choose to accept it based on different criteria than a matching MAC address: for example, based on a configurable list of multicast MAC addresses.^[7]
• Packets sent to the broadcast address, all one bits or hexadecimal FF:FF:FF:FF:FF:FF, are received by all stations on a local area network.^[8]
• Packets sent to a multicast address are received by all stations on a LAN that have been configured to receive packets sent to that address.^[9]
• Although intended to be a permanent and globally unique identification, it is possible to change the MAC address on most modern hardware.^[10]
• An Organizationally Unique Identifier (OUI) is a 24-bit number purchased from the Institute of Electrical and Electronics Engineers, Incorporated (IEEE) Registration Authority and uniquely identifies the vendor or manufacturer of a network adapter.^[11]
• An Ethernet frame includes destination and source MAC addresses, Ethertype, data, and a frame check sequence.^[12]
• Ethertype is a two-octet field used to indicate which protocol is encapsulated in the payload of an Ethernet Frame.^[13]
• A Token Ring frame includes access control, frame control, destination and source MAC addresses, data, and a frame check sequence.^[14]
• A Point-to-Point Protocol (PPP) frame includes protocol and data information.^[15]
• An IEEE 802.11 frame includes frame control, destination and source MAC addresses, data, and a frame check sequence.^[16]

802.3

A set of IEEE standards for implementing wired Ethernet.^[17]

802.5

A set of IEEE standards for implementing Token Ring.^[18]

802.11

A set of IEEE standards for implementing wireless local area network (WLAN) communication.^[19]

Carrier Sense Multiple Access with Collision Detection (CSMA/CD)

A Media Access Control (MAC) method in which a carrier sensing scheme is used, and a transmitting data station that detects another signal while transmitting a frame stops transmitting that frame, transmits a jam signal, and then waits for a random time interval before trying to resend the frame.^[20]

data transmission

The physical transfer of data (a digital bit stream) over a point-to-point or point-to-multipoint communication channel.^[21]

Ethernet

A family of computer networking technologies for local area networks (LANs) that was commercially introduced in 1980 and standardized in 1985 as IEEE 802.3.^[22]

Institute of Electrical and Electronics Engineers (IEEE)

A professional association headquartered in New York City that is dedicated to advancing technological innovation and excellence.^[23]

Local Area Network (LAN)

A computer network that interconnects computers in a limited area such as a home, school, computer laboratory, or office building using network media.^[24]

MAC spoofing

A technique for changing a factory-assigned Media Access Control (MAC) address of a network interface on a networked device.^[25]

network segment

A portion of a computer network, sometimes used as a synonym for collision domain.^[26]

node

A connection point, either a redistribution point or a communication endpoint.^[27]

Organizationally Unique Identifier (OUI)

A 24-bit number purchased from the Institute of Electrical and Electronics Engineers, Incorporated (IEEE) Registration Authority and uniquely identifies the vendor or manufacturer of a network adapter.^[28]

Point-to-Point Protocol (PPP)

A data link protocol commonly used in establishing a direct connection between two networking nodes in a Wide Area Network (WAN) environment.^[29]

Token Ring

A data link protocol that uses a ring topology and was standardized as IEEE 802.5.^[30]

unique identifier (UID)

Any identifier which is guaranteed to be unique among all identifiers used for a given set of objects and for a specific purpose.^[31]

Wide Area Network (WAN)

A network that covers a broad area (i.e., any telecommunications network that links across metropolitan, regional, or national boundaries) using private or public network transports.^[32]

Click on a question to see the answer.

1. The Link layer is the _____ layer in the Internet Protocol Suite. It implements the communication protocol necessary for a host to link to _____.

   The Link layer is the lowest layer in the Internet Protocol Suite. It implements the communication protocol necessary for a host to link to its directly-connected network.
2. TCP/IP's layers are descriptions of operating scopes (application, host-to-host, network, link) and _____ detailed prescriptions of operating procedures, data semantics, or networking technologies.

   TCP/IP's layers are descriptions of operating scopes (application, host-to-host, network, link) and not detailed prescriptions of operating procedures, data semantics, or networking technologies.
3. Layering in TCP/IP is not a principal design criterion and in general is considered to be _____.

   Layering in TCP/IP is not a principal design criterion and in general is considered to be harmful.
4. The standard (IEEE 802) format for printing MAC-48 addresses in human-friendly form is _____ groups of two hexadecimal digits, separated by hyphens (-) or colons (:), in transmission order.

   The standard (IEEE 802) format for printing MAC-48 addresses in human-friendly form is six groups of two hexadecimal digits, separated by hyphens (-) or colons (:), in transmission order.
5. The IEEE expects the MAC-48 space to be exhausted no sooner than the year _____.

   The IEEE expects the MAC-48 space to be exhausted no sooner than the year 2100.
6. If the least significant bit of the most significant octet of an address is set to 0 (zero), the frame is meant to reach _____.

   If the least significant bit of the most significant octet of an address is set to 0 (zero), the frame is meant to reach only one receiving NIC.
7. If the least significant bit of the most significant address octet is set to 1, the frame will still be sent only once; however, NICs will choose to accept it based on different criteria than a matching MAC address: for example, based on _____.

   If the least significant bit of the most significant address octet is set to 1, the frame will still be sent only once; however, NICs will choose to accept it based on different criteria than a matching MAC address: for example, based on a configurable list of multicast MAC addresses.
8. Packets sent to the broadcast address, _____, are received by all stations on a local area network.

   Packets sent to the broadcast address, all one bits or hexadecimal FF:FF:FF:FF:FF:FF, are received by all stations on a local area network.
9. Packets sent to a multicast address are received by all stations on a LAN that _____.

   Packets sent to a multicast address are received by all stations on a LAN that have been configured to receive packets sent to that address.
10. Although intended to be a permanent and globally unique identification, it is possible to _____ the MAC address on most modern hardware.

    Although intended to be a permanent and globally unique identification, it is possible to change the MAC address on most modern hardware.
11. An Organizationally Unique Identifier (OUI) is a 24-bit number purchased from the Institute of Electrical and Electronics Engineers, Incorporated (IEEE) Registration Authority and uniquely identifies _____.

    An Organizationally Unique Identifier (OUI) is a 24-bit number purchased from the Institute of Electrical and Electronics Engineers, Incorporated (IEEE) Registration Authority and uniquely identifies the vendor or manufacturer of a network adapter.
12. An Ethernet frame includes _____.

    An Ethernet frame includes destination and source MAC addresses, Ethertype, data, and a frame check sequence.
13. Ethertype is a two-octet field used to indicate _____.

    Ethertype is a two-octet field used to indicate which protocol is encapsulated in the payload of an Ethernet Frame.
14. A Token Ring frame includes _____.

    A Token Ring frame includes access control, frame control, destination and source MAC addresses, data, and a frame check sequence.
15. A Point-to-Point Protocol (PPP) frame includes _____.

    A Point-to-Point Protocol (PPP) frame includes protocol and data information.
16. An IEEE 802.11 frame includes _____.

    An IEEE 802.11 frame includes frame control, destination and source MAC addresses, data, and a frame check sequence.

• Lesson Flashcards
• Terms Flashcards
• Quiz

• Link Layer

Getmac is a Windows command used to display the Media Access Control (MAC) addresses for each network adapter in the computer. These activities will show you how to use the getmac command to display MAC addresses.

• Wikipedia: Media Access Control (MAC) Address

To prepare for this activity:

1. Start Windows.
2. Log in if necessary.

To display MAC addresses using getmac:

1. Open a command prompt.
2. Type getmac and press Enter.
3. Observe the results. You should see a list of physical addresses and transport names in use on the computer.
4. Close the command prompt to complete this activity.

• Microsoft TechNet: Getmac

ipconfig /all displays all configuration information for each adapter bound to TCP/IP. This activity will show you how to use ipconfig /all.

To prepare for this activity:

1. Start Windows.
2. Log in if necessary.

To display all configuration information for each adapter bound to TCP/IP:

1. Open a command prompt.
2. Type ipconfig /all.
   Note: While the space between ipconfig and /all isn't required, it's a good idea to get into the habit of including a space between a command and any specified options for other commands that do require the space.
3. Press Enter.
4. Observe available adapters and their detailed IP settings.
5. Close the command prompt to complete this activity.

• Wikipedia: ipconfig
• Wikipedia: Internet Protocol

• Microsoft TechNet: Ipconfig

A Media Access Control address (MAC address) is a unique identifier assigned to network interfaces for communications on the physical network segment. The Organizationally Unique Identifier (OUI) is a 24-bit number that is purchased from the Institute of Electrical and Electronics Engineers, Incorporated (IEEE) Registration Authority and uniquely identifies the vendor or manufacturer of the network adapter.

• Wikipedia: Media Access Control (MAC) Address
• Wikipedia: Organizationally Unique Identifier (OUI)

To search for a MAC address OUI:

1. Use getmac or ipconfig to find the MAC address of your network adapter.
2. Using an Internet browser, navigate to the IEEE Standards Association Public OUI Listing and search for the first three octets (first six hexadecimal digits) of the MAC address you found above to identify the manufacturer / registrar of your network adapter.

• Wikipedia: Media Access Control (MAC) Address
• Wikipedia: Organizationally Unique Identifier (OUI)
• IEEE Standards Association Public OUI Listing

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Ethernet traffic.

• Wikipedia: Ethernet
• Wikipedia: Ethernet frame
• Wikipedia: MAC address

To prepare for this activity:

1. Start Windows.
2. Log in if necessary.
3. Install Wireshark.

To capture Ethernet traffic:

1. Start a Wireshark capture.
2. Use ipconfig to display the default gateway address. Note the Default Gateway displayed.
3. Use ping <default gateway address> to ping the default gateway address.
4. Stop the Wireshark capture.

To analyze Ethernet traffic:

1. Observe the traffic captured in the top Wireshark packet list pane. All of the traffic you see is likely to be Ethernet traffic. If you want to specifically identify the traffic generated from the ping command above, look for traffic with ICMP listed as the protocol and Echo (ping) request or Echo (ping) reply in the description.
2. Select a packet you want to analyze.
3. Observe the packet details in the middle Wireshark packet details pane.
4. Select Frame. Notice when you select the frame that the entire frame is highlighted in the bottom packet bytes pane.
5. Expand Frame to view frame details.
6. Expand Ethernet II to view Ethernet details. Notice the Destination, Source, and Type fields.
7. Select the Destination field. Notice when you select the Destination field that the first six bytes of the frame are highlighted in the bottom packet bytes pane. This is the destination MAC address for the Ethernet frame.
8. Select the Source field. Notice when you select the Source field that the second six bytes of the frame are highlighted in the bottom packet bytes pane. This is the source MAC address for the Ethernet frame.
9. Select the Type field. Notice when you select the Type field that the 13th and 14th bytes of the frame are highlighted in the bottom packet bytes pane. This is the type of packet encapsulated inside the Ethernet frame.
10. Select additional Ethernet frames in the top packet list pane and observe frame details in these packets.

To confirm MAC addresses in Ethernet traffic:

1. Use ipconfig /all or Getmac to display your computer's Physical Address.
2. Compare your computer's physical address to the Source and Destination fields in the captured traffic. Identify which frames were sent by your computer and which frames were received by your computer.
3. Use arp -a to view the ARP cache.
4. Locate the default gateway IP address used in the ping command above and note the Physical Address of the default gateway.
5. Compare your default gateway's physical address to the Source and Destination fields in the captured traffic. Identify which frames were sent by the default gateway and and which frames were sent to the default gateway.
6. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

• Wireshark: User's Guide
• Wireshark: Ethernet

This lesson continues the Link layer and looks at the Address Resolution Protocol (ARP). Activities include viewing and modifying the ARP cache and using Wireshark to examine ARP network traffic.

1. Wikipedia: Address Resolution Protocol
2. Wikipedia: Broadcast address

1. YouTube: Basics of ipconfig, ping, tracert, nslookup and netstat
2. YouTube: An Overview of ARP - CompTIA Network+ N10-005: 4.3
3. YouTube: ARP Basics for the Cisco CCNA
4. YouTube: Address Resolution Protocol (ARP) Explained

1. View the ARP Cache.
2. Modify the ARP Cache.
3. Review Wireshark: Address Resolution Protocol (ARP).
4. Use Wireshark to capture and analyze Address Resolution Protocol (ARP) traffic.
5. Consider situations in which a packet analyzer might be used to troubleshoot ARP traffic.

• Address Resolution Protocol (ARP) is a telecommunications protocol used for resolution of network (Internet) layer addresses into link layer addresses.^[1]
• ARP is the name of the program for manipulating Address Resolution Protocol caches in most operating systems.^[2]
• In Internet Protocol Version 6 (IPv6) networks, the functionality of ARP is provided by the Neighbor Discovery Protocol (NDP).^[3]
• ARP is a request and reply protocol that runs encapsulated by the line protocol.^[4]
• ARP is an Internet Protocol Suite Link layer protocol.^[5]
• ARP packets include the sender hardware address, the sender protocol address, the target hardware address, and the target protocol address.^[6] The hardware address is typically the MAC address and the protocol address is typically the IP address.
• The ARP cache is a memory-cached table of IP addresses and corresponding hardware addresses.^[7]
• An ARP probe is an ARP request for one's own IP address, sent just before a network interface begins to use that address. This is done to ensure that the IP address is not already in use on the network.^[8]
• A gratuitous ARP request is similar to an ARP probe in that an ARP request for one's own IP address is sent just before a network interface begins to sue the address. The difference is that an ARP probe involves conflict detection, while a gratuitous ARP request is simply an announcement of intent to use the given address.^[9]
• ARP mediation supports the transparent use of ARP requests across a circuit-based virtual private wire service (circuit-based VPN).^[10]
• Inverse ARP is used to resolve link layer addresses into network (Internet) layer addresses.^[11]
• Reverse ARP is similar to Inverse ARP in that it was used to resolve a link layer address into a network layer address. The difference is that Reverse ARP was used to resolve one's own link layer address rather than another node. Reverse ARP has been replaced by the Bootstrap Protocol (BOOTP) and the Dynamic Host Configuration Protocol (DHCP).^[12]
• Proxy ARP is a technique by which a device on a given network answers the ARP queries for a network address that is not on that network.^[13]
• ARP spoofing is a technique whereby an attacker sends fake Address Resolution Protocol (ARP) messages onto a Local Area Network to associate the attacker's MAC address with the IP address of another host.^[14]
• The IPv4 broadcast address is 255.255.255.255.^[15]
• IPv6 does not define broadcast addresses. IPv6 uses multicast addressing.^[16]
• The Ethernet broadcast address is FF:FF:FF:FF:FF:FF.^[17]

Asynchronous Transfer Mode (ATM)

A telecommunications protocol defined by ANSI and ITU standards to carry voice, data, and video using asynchronous time-division multiplexing and small, fixed-sized cells.^[18]

Customer Edge (CE)

The router at the customer premises that is connected to the provider edge of a service provider network.^[19]

denial-of-service attack (DoS attack)

An attempt to make a machine or network resource unavailable to its intended users.^[20]

Fiber Distributed Data Interface (FDDI)

Provides a 100 Mbit/s optical standard for data transmission in a local area network that can extend in range up to 200 kilometers (120 mi).^[21]

Frame Relay

A standardized wide area network technology that specifies the physical and logical link layers of digital telecommunications channels using a packet switching methodology. Originally designed for transport across Integrated Services Digital Network (ISDN) infrastructure, it is less expensive than leased lines.^[22]

man-in-the-middle attack

A form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them.^[23]

Provider Edge (PE)

A router between one network service provider's area and areas administered by other network providers.^[24]

telecommunication

The science and practice of transmitting information by electromagnetic means.^[25]

Virtual Private Wire Service (VPWS)

A circuit-based Virtual Private Network (VPN).^[26]

X.25

An ITU-T standard protocol suite for packet switched wide area network (WAN) communication using leased lines, plain old telephone service connections or ISDN connections as physical links.^[27]

Click on a question to see the answer.

1. Address Resolution Protocol (ARP) is a telecommunications protocol used for _____.

   Address Resolution Protocol (ARP) is a telecommunications protocol used for resolution of network (Internet) layer addresses into link layer addresses.
2. ARP is the name of the program for manipulating Address Resolution Protocol _____ in most operating systems.

   ARP is the name of the program for manipulating Address Resolution Protocol caches in most operating systems.
3. In Internet Protocol Version 6 (IPv6) networks, the functionality of ARP is provided by _____.

   In Internet Protocol Version 6 (IPv6) networks, the functionality of ARP is provided by the Neighbor Discovery Protocol (NDP).
4. ARP is a request and reply protocol that runs encapsulated by the _____ protocol.

   ARP is a request and reply protocol that runs encapsulated by the line protocol.
5. ARP is an Internet Protocol Suite _____ layer protocol.

   ARP is an Internet Protocol Suite Link layer protocol.
6. ARP packets include _____.

   ARP packets include the sender hardware address, the sender protocol address, the target hardware address, and the target protocol address.
7. The ARP cache is _____.

   The ARP cache is a memory-cached table of IP addresses and corresponding hardware addresses.
8. An ARP probe is _____.

   An ARP probe is an ARP request for one's own IP address, sent just before a network interface begins to use that address.
9. A gratuitous ARP request is _____.

   A gratuitous ARP request is simply an announcement of intent to use the given address.
10. ARP mediation supports the transparent use of ARP requests across _____.

    ARP mediation supports the transparent use of ARP requests across a circuit-based virtual private wire service (circuit-based VPN).
11. Inverse ARP is used to _____.

    Inverse ARP is used to resolve link layer addresses into network (Internet) layer addresses.
12. Reverse ARP is similar to Inverse ARP in that it was used to resolve a link layer address into a network layer address. The difference is that _____.

    Reverse ARP is similar to Inverse ARP in that it was used to resolve a link layer address into a network layer address. The difference is that Reverse ARP was used to resolve one's own link layer address rather than another node.
13. Proxy ARP is a technique by which a device on a given network _____.

    Proxy ARP is a technique by which a device on a given network answers the ARP queries for a network address that is not on that network.
14. ARP spoofing is a technique whereby an attacker _____.

    ARP spoofing is a technique whereby an attacker sends fake Address Resolution Protocol (ARP) messages onto a Local Area Network to associate the attacker's MAC address with the IP address of another host.
15. The IPv4 broadcast address is _____.

    The IPv4 broadcast address is 255.255.255.255.
16. IPv6 does not define broadcast addresses. IPv6 uses _____ addressing.

    IPv6 does not define broadcast addresses. IPv6 uses multicast addressing.
17. The Ethernet broadcast address is _____.

    The Ethernet broadcast address is FF:FF:FF:FF:FF:FF.

• Lesson Flashcards
• Terms Flashcards
• Quiz

• Arp

Arp is a Windows command used to view and modify the Address Resolution Protocol (ARP) cache. These activities will show you how to view the ARP cache.

Note: To complete this activity, you must have an administrative user account or know the username and password of an administrator account you can enter when prompted.

To prepare for this activity:

1. Start Windows.
2. Log in if necessary.

To view the ARP cache:

1. Type arp -a and press Enter.
2. Observe the ARP cache entries.

In order to observe the effects of Media Access Control (MAC) address resolution, start by clearing the ARP cache:

1. Open an elevated/administrator command prompt.
2. Type arp -d and press Enter.

To view the ARP cache:

1. Type arp -a and press Enter.
2. Observe the ARP cache entries. There should not be any entries in the list. If there are, a background process on your computer has contacted a network host or router since the cache was cleared.

To dynamically add an entry to the ARP cache, ping the default gateway:

1. Use ipconfig to display the default gateway address. Note the Default Gateway displayed.
2. Use ping <default gateway address> to ping the default gateway address.
3. Observe the results. You should see replies indicating success.

To view the ARP cache:

1. Type arp -a and press Enter.
2. Observe the ARP cache entries. There should be an entry for the default gateway showing its Internet (IP) address and physical (MAC) address. There may be other entries, depending on what background process on your computer has contacted a network host.
3. Close the command prompt to complete this activity.

• Wikipedia: Address Resolution Protocol (ARP)
• Wikipedia: IP Address
• Wikipedia: Media Access Control (MAC) Address

• Microsoft TechNet: Arp

Arp is a Windows command used to view and modify the Address Resolution Protocol (ARP) cache. These activities will show you how to modify the ARP cache.

Note: To complete this activity, you must have an administrative user account or know the username and password of an administrator account you can enter when prompted.

To prepare for this activity:

1. Start Windows.
2. Log in if necessary.

In order to limit the amount of information displayed, start by clearing the ARP cache:

1. Open an elevated/administrator command prompt.
2. Type arp -d and press Enter.

To view the ARP cache:

1. Type arp -a and press Enter.
2. Observe the ARP cache entries. There should not be any entries in the list. If there are, either a network host has contacted your computer, or a background process on your computer has contacted a network host or router since the cache was cleared.

To dynamically add an entry to the ARP cache, ping the default gateway:

1. Use ipconfig to display the default gateway address. Note the Default Gateway displayed.
2. Use ping <default gateway address> to ping the default gateway address.
3. Observe the results. You should see replies indicating success.

To view the ARP cache:

1. Type arp -a and press Enter.
2. Observe the ARP cache entries. There should be an entry for the default gateway showing its Internet (IP) address and physical (MAC) address. There may be other entries, depending on what other network hosts have contacted your computer, or what background process on your computer has contacted a network host.

Note: You will lose Internet access with this next step and will restore it again in Activity 8.

Method 1 - Windows XP and Earlier edit

Modify the ARP cache entry for the default gateway by replacing it with an invalid MAC static address:

1. Type arp -s <default gateway address> 00-11-22-33-44-55 and press Enter.

Method 2 - Windows 7 and Later edit

Determine your network adapter interface name and modify the ARP cache entry for the default gateway by replacing it with an invalid MAC static address:

1. Type netsh interface ipv4 show config.
2. Locate the interface with the default gateway listed in Activity 3. The interface name is typically "Local Area Connection" or "Wireless Network Connection".
3. Type netsh interface ipv4 add neighbors "<interface name>" <default gateway address> 00-11-22-33-44-55, where <interface name> is the name of the interface identified and <default gateway address> is the address of the default gateway listed in Activity 3. For example, if the interface name is "Local Area Connection" and the default gateway is 192.168.1.1, you would type netsh interface ipv4 add neighbors "Local Area Connection" 192.168.1.1 00-11-22-33-44-55.

To view the ARP cache:

1. Type arp -a and press Enter.
2. Observe the ARP cache entries. Notice that the default gateway now has the type static and has an invalid MAC address.

To test the ARP cache entry, attempt to ping the default gateway:

1. Use ping <default gateway address> to ping the default gateway address.
2. Observe the results. You should see "Request timed out.", indicating the default gateway cannot be reached.

Method 1 - Windows XP and Earlier edit

To reset the ARP cache:

1. Type arp -d and press Enter.
2. Type arp -a and press Enter to confirm that the static entry has been cleared.

Method 2 - Windows 7 and Later edit

To reset the ARP cache:

1. Type netsh interface ipv4 delete neighbors and press Enter.
2. Type netsh interface ipv4 show neighbors and press Enter to confirm that the static entry has been cleared.

Ping the default gateway to verify network connectivity to the default gateway:

1. Use ping <default gateway address> to ping the default gateway address.
2. Observe the results. You should see replies indicating success.

To view the ARP cache:

1. Type arp -a and press Enter.
2. Observe the ARP cache entries. Notice that the default gateway now has the type dynamic and its valid MAC address.
3. Close the command prompt to complete this activity.

• Wikipedia: Address Resolution Protocol (ARP)
• Wikipedia: IP Address
• Wikipedia: Media Access Control (MAC) Address
• Wikipedia: netsh

• Microsoft TechNet: Arp
• Microsoft TechNet: Netsh

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Address Resolution Protocol (ARP) traffic.

• Wikipedia: Address_Resolution_Protocol (ARP)
• Wikipedia: Media Access Control (MAC) Address
• Wikipedia: Broadcast Address
• Wikipedia: Ethertype

• YouTube: Wireshark 101: Address Resolution Protocol, HakTip 124

To prepare for this activity:

1. Start your computer.
2. Log in if necessary.
3. Install Wireshark.

To capture ARP traffic:

1. Start Wireshark, but do not yet start a capture.
2. Open an elevated/administrator command prompt.
3. Use ipconfig to display the default gateway address. Note the Default Gateway displayed.
4. Start a Wireshark capture.
5. Use arp -d to clear the ARP cache.
6. Use ping <default gateway address> to ping the default gateway address.
7. Use arp -a to view the ARP cache and confirm an entry has been added for the default gateway address.
8. Close the command prompt.
9. Stop the Wireshark capture.

To analyze an ARP request:

1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ARP listed as the protocol. To view only ARP traffic, type arp (lower case) in the Filter box and press Enter.
2. Select the first ARP packet.
3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Address Resolution Protocol frame.
4. Expand Ethernet II to view Ethernet details.
5. Observe the Destination field. Notice that the destination field is the Ethernet broadcast address (FF:FF:FF:FF:FF:FF). All devices on the network will receive the ARP request.
6. Observe the Source field. This should contain your MAC address. You can use ipconfig /all, getmac, or ifconfig to confirm.
7. Observe the Type field. Notice that the type is 0x0806, indicating ARP.
8. Expand Address Resolution Protocol (request) to view ARP details.
9. Observe the Sender MAC address. Notice that the sender MAC address is your MAC address.
10. Observe the Sender IP address. Notice that the sender IP address is your IP address.
11. Observe the Target MAC address. Notice that the target MAC address is all zeros, because the target MAC address is unknown at this point.
12. Observe the Target IP address. Notice that the target IP address is the IP address of the default gateway.

To analyze an ARP reply:

1. Select the second ARP packet.
2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Address Resolution Protocol frame. Confirm that in the middle packet details pane that the packet is labeled Address Resolution Protocol (reply).
3. Expand Ethernet II to view Ethernet details.
4. Observe the Destination field. Notice that the destination field is your MAC address.
5. Observe the Source field. This should be the MAC address of the default gateway.
6. Observe the Type field. Notice that the type is 0x0806, indicating ARP.
7. Expand Address Resolution Protocol (reply) to view ARP details.
8. Observe the Sender MAC address. Notice that the sender MAC address is the MAC address of the default gateway.
9. Observe the Sender IP address. Notice that the sender IP address is the IP address of the default gateway.
10. Observe the Target MAC address. Notice that the destination MAC address is your MAC address.
11. Observe the Target IP address. Notice that the destination IP address is your IP address.
12. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

• Wireshark: User's Guide
• Wireshark: Ethernet

• Ethernet
• Wikipedia: arping

This lesson introduces the Internet layer and looks at IPv4. Activities include IPv4 addressing and using Wireshark to examine IPv4 network traffic.

1. Wikipedia: Internet layer
2. Wikipedia: Internet Protocol
3. Wikipedia: IPv4
4. Wikipedia: IP address
5. Wikipedia: Classful network

1. YouTube: An overview of IPv4 and IPv6 - CompTIA Network+ N10-005: 1.3
2. YouTube: Basics of ipconfig, ping, tracert, nslookup and netstat

1. Use a Regional Internet Registry to search the Whois database for IP address information.
2. Review Wireshark: Internet Protocol (IP).
3. Use Wireshark to capture and analyze local IPv4 traffic.
4. Use Wireshark to capture and analyze remote IPv4 traffic.
5. Use Wireshark to capture and analyze fragmented IPv4 traffic.
6. Consider situations in which a packet analyzer might be used to troubleshoot IPv4 traffic.

• The Internet layer is a group of internetworking methods, protocols, and specifications in the Internet protocol suite that are used to transport datagrams from the originating host across network boundaries, if necessary, to the destination host specified by a network address.^[1]
• The Internet layer is not responsible for reliable transmission. It provides only an unreliable connection-less service, and "best effort" delivery.^[2]
• The core protocols used in the Internet layer are IPv4, IPv6, the Internet Control Message Protocol (ICMP), and the Internet Group Management Protocol (IGMP).^[3]
• The Internet Control Message Protocol (ICMP) is primarily used for error and diagnostic functions.^[4]
• The Internet Group Management Protocol (IGMP) is used by IPv4 hosts and adjacent multicast routers to establish multicast group memberships.^[5]
• Internet Protocol Security (IPsec) is a suite of protocols for securing Internet Protocol (IP) communications by authenticating and/or encrypting each IP packet in a data stream.^[6]
• Each IP datagram has two components, a header and a data payload. The IP header is tagged with the source IP address, destination IP address, and other meta-data needed to route and deliver the datagram.^[7]
• IPv4 uses 32-bit (four-byte) addresses, most often written in the dotted decimal notation, which consists of four octets of bit values expressed individually in decimal and separated by periods.^[8]
• Private IPv4 network address ranges are reserved for use in private networks and include 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16. Private networks communicate with public networks through network address translation (NAT).^[9]
• The link-local IPv4 address range, 169.254.0.0/16, is similar to a private network address range but is not routable. These addresses are most often used when a host cannot obtain an IP address from a Dynamic Host Configuration Protocol (DHCP) server.^[10]
• The loopback address range, 127.0.0.0/8 is reserved for loopback, or internal host addressing.^[11]
• The primary address pool of the Internet, maintained by the Internet Assigned Numbers Authority (IANA), was exhausted on 3 February 2011.^[12]
• Valid IPv4 host addresses have a first octet in the range 1-126 (originally Class A), 128-191 (originally Class B), or 192-223 (originally Class C). Multicast addresses have a first octet in the range 224-239 (originally Class D). Addresses with a first octet in the range 240-255 are unused (reserved / experimental).^[13][14]
• Classful networking was replaced by Classless Inter-Domain Routing (CIDR) starting in 1993.^[15] However, the basic addressing concepts developed under classful networking still apply to IPv4. The CIDR changes apply to subnetting and routing, which will be examined in the next lesson.

American Registry for Internet Numbers (ARIN)

The Regional Internet Registry (RIR) for Canada, many Caribbean and North Atlantic islands, and the United States.^[16]

data corruption

Errors in computer data that occur during writing, reading, storage, transmission, or processing, which introduce unintended changes to the original data.^[17]

datagram

A basic transfer unit associated with a packet-switched network in which the delivery, arrival time, and order of arrival are not guaranteed by the network service.^[18]

gateway

A network point that acts as an entrance to another network.^[19]

host

A computer connected to a computer network and assigned a network layer host address.^[20]

Internet Assigned Numbers Authority (IANA)

The entity that oversees global IP address allocation, autonomous system number allocation, root zone management in the Domain Name System (DNS), media types, and other Internet Protocol-related symbols and numbers.^[21]

Internet Protocol (IP)

The principal communications protocol responsible for addressing hosts and routing datagrams (packets) from a source host to the destination host across one or more networks.^[22]

IP fragmentation

The Internet Protocol fragmentation and reassembly procedure that can break a datagram into pieces that may later be reassembled based on identification, offset, and length.^[23]

network address translation (NAT)

The process of modifying IP address information in IP packet headers while in transit across a traffic routing device.^[24]

octet

A unit of digital information in computing and telecommunications that consists of eight bits.^[25]

packet switching

A digital networking communications method that groups all transmitted data into variably-sized blocks, called packets, for delivery over a shared network.^[26]

Regional Internet Registry (RIR)

An organization that manages the allocation and registration of Internet number resources within a particular region of the world.^[27]

robustness principle

Be liberal in what you accept, and conservative in what you send.^[28]

scalability

The ability of a system, network, or process, to handle a growing amount of work in a capable manner or its ability to be enlarged to accommodate that growth.^[29]

Click on a question to see the answer.

1. The Internet layer is a group of internetworking methods, protocols, and specifications in the Internet protocol suite that are used to _____ from the originating _____ across _____, if necessary, to the destination _____ specified by a network address.

   The Internet layer is a group of internetworking methods, protocols, and specifications in the Internet protocol suite that are used to transport datagrams from the originating host across network boundaries, if necessary, to the destination host specified by a network address.
2. The Internet layer is not responsible for reliable transmission. It provides only _____.

   The Internet layer is not responsible for reliable transmission. It provides only an unreliable connection-less service, and "best effort" delivery.
3. The core protocols used in the Internet layer are _____.

   The core protocols used in the Internet layer are IPv4, IPv6, the Internet Control Message Protocol (ICMP), and the Internet Group Management Protocol (IGMP).
4. The _____ is primarily used for error and diagnostic functions.

   The Internet Control Message Protocol (ICMP) is primarily used for error and diagnostic functions.
5. The _____ is used by IPv4 hosts and adjacent multicast routers to establish multicast group memberships.

   The Internet Group Management Protocol (IGMP) is used by IPv4 hosts and adjacent multicast routers to establish multicast group memberships.
6. Internet Protocol Security (IPsec) is a suite of protocols for securing Internet Protocol (IP) communications by _____ and/or _____ each IP packet in a data stream.

   Internet Protocol Security (IPsec) is a suite of protocols for securing Internet Protocol (IP) communications by authenticating and/or encrypting each IP packet in a data stream.
7. Each IP datagram has two components, a header and a data payload. The IP header is tagged with _____ needed to route and deliver the datagram.

   Each IP datagram has two components, a header and a data payload. The IP header is tagged with the source IP address, destination IP address, and other meta-data needed to route and deliver the datagram.
8. IPv4 uses _____ addresses, most often written in the _____ notation.

   IPv4 uses 32-bit (four-byte) addresses, most often written in the dotted decimal notation.
9. Private IPv4 network address ranges are reserved for use in private networks and include _____.

   Private IPv4 network address ranges are reserved for use in private networks and include 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16.
10. Private networks communicate with public networks through _____.

    Private networks communicate with public networks through network address translation (NAT).
11. The link-local IPv4 address range, _____, is similar to a private network address range but is not routable.

    The link-local IPv4 address range, 169.254.0.0/16, is similar to a private network address range but is not routable.
12. The loopback address range, _____ is reserved for loopback, or internal host addressing.

    The loopback address range, 127.0.0.0/8 is reserved for loopback, or internal host addressing.
13. The primary address pool of the Internet, maintained by the Internet Assigned Numbers Authority (IANA), was exhausted in _____.

    The primary address pool of the Internet, maintained by the Internet Assigned Numbers Authority (IANA), was exhausted in 2011.
14. Valid IPv4 host addresses have a first octet in the range _____ (originally Class A), _____ (originally Class B), or _____ (originally Class C).

    Valid IPv4 host addresses have a first octet in the range 1-126 (originally Class A), 128-191 (originally Class B), or 192-223 (originally Class C).
15. Multicast addresses have a first octet in the range _____ (originally Class D).

    Multicast addresses have a first octet in the range 224-239 (originally Class D).
16. Addresses with a first octet in the range _____ are unused (reserved / experimental).

    Addresses with a first octet in the range 240-255 are unused (reserved / experimental).
17. Classful networking was replaced by _____ starting in 1993.

    Classful networking was replaced by Classless Inter-Domain Routing (CIDR) starting in 1993.

• Lesson Flashcards
• Terms Flashcards
• Quiz

• Internet Layer

IP address registration information may be located using one of the five Regional Internet Registry Whois databases. These activities will show you how to find the registrant or service provider for a given IP address.

To prepare for this activity:

1. Start Windows.
2. Log in if necessary.

To determine your Regional Internet Registry:

1. Review Wikipedia: Regional Internet Registry.

To search for a public IPv4 address:

1. Navigate to the home page of one of the five regional Internet registries:
   • African Network Information Centre
   • American Registry for Internet Numbers
   • Asia-Pacific Network Information Centre
   • Latin America and Caribbean Network Information Centre
   • RIPE Network Coordination Centre
2. Locate the Whois / Search Database feature on the registry home page.
3. Enter 8.8.8.8 in the search box. This is the IPv4 address of one of Google's public DNS servers. Press Enter or select the submit button to submit your search.
4. Review the returned registration information.

To search for a private IPv4 address:

1. Enter 192.168.0.1 in the search box. This is a private IP address. Press Enter or select the submit button to submit your search.
2. Review the returned registration information.

To search for a link-local IPv4 address:

1. Enter 169.254.1.1 in the search box. This is a loopback address. Press Enter or select the submit button to submit your search.
2. Review the returned registration information.

To search for a loopback IPv4 address:

1. Enter 127.0.0.1 in the search box. This is a loopback address. Press Enter or select the submit button to submit your search.
2. Review the returned registration information.

To search for a multicast IPv4 address:

1. Enter 224.0.0.1 in the search box. This is a loopback address. Press Enter or select the submit button to submit your search.
2. Review the returned registration information.

To search for a reserved IPv4 address:

1. Enter 240.0.0.1 in the search box. This is a loopback address. Press Enter or select the submit button to submit your search.
2. Review the returned registration information.

To search for a public IPv6 address:

1. Enter 2001:4860:4860::8888 in the search box. This is the IPv6 address of one of Google's public DNS servers. Press Enter or select the submit button to submit your search.
2. Review the returned registration information.

• Wikipedia: Regional Internet Registry
• Wikipedia: Whois
• Wikipedia: IP Address

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Address Resolution Protocol (ARP) traffic.

• Wikipedia: Address_Resolution_Protocol (ARP)
• Wikipedia: Media Access Control (MAC) Address
• Wikipedia: Broadcast Address
• Wikipedia: Ethertype

• YouTube: Wireshark 101: Address Resolution Protocol, HakTip 124

To prepare for this activity:

1. Start your computer.
2. Log in if necessary.
3. Install Wireshark.

To capture ARP traffic:

1. Start Wireshark, but do not yet start a capture.
2. Open an elevated/administrator command prompt.
3. Use ipconfig to display the default gateway address. Note the Default Gateway displayed.
4. Start a Wireshark capture.
5. Use arp -d to clear the ARP cache.
6. Use ping <default gateway address> to ping the default gateway address.
7. Use arp -a to view the ARP cache and confirm an entry has been added for the default gateway address.
8. Close the command prompt.
9. Stop the Wireshark capture.

To analyze an ARP request:

1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ARP listed as the protocol. To view only ARP traffic, type arp (lower case) in the Filter box and press Enter.
2. Select the first ARP packet.
3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Address Resolution Protocol frame.
4. Expand Ethernet II to view Ethernet details.
5. Observe the Destination field. Notice that the destination field is the Ethernet broadcast address (FF:FF:FF:FF:FF:FF). All devices on the network will receive the ARP request.
6. Observe the Source field. This should contain your MAC address. You can use ipconfig /all, getmac, or ifconfig to confirm.
7. Observe the Type field. Notice that the type is 0x0806, indicating ARP.
8. Expand Address Resolution Protocol (request) to view ARP details.
9. Observe the Sender MAC address. Notice that the sender MAC address is your MAC address.
10. Observe the Sender IP address. Notice that the sender IP address is your IP address.
11. Observe the Target MAC address. Notice that the target MAC address is all zeros, because the target MAC address is unknown at this point.
12. Observe the Target IP address. Notice that the target IP address is the IP address of the default gateway.

To analyze an ARP reply:

1. Select the second ARP packet.
2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Address Resolution Protocol frame. Confirm that in the middle packet details pane that the packet is labeled Address Resolution Protocol (reply).
3. Expand Ethernet II to view Ethernet details.
4. Observe the Destination field. Notice that the destination field is your MAC address.
5. Observe the Source field. This should be the MAC address of the default gateway.
6. Observe the Type field. Notice that the type is 0x0806, indicating ARP.
7. Expand Address Resolution Protocol (reply) to view ARP details.
8. Observe the Sender MAC address. Notice that the sender MAC address is the MAC address of the default gateway.
9. Observe the Sender IP address. Notice that the sender IP address is the IP address of the default gateway.
10. Observe the Target MAC address. Notice that the destination MAC address is your MAC address.
11. Observe the Target IP address. Notice that the destination IP address is your IP address.
12. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

• Wireshark: User's Guide
• Wireshark: Ethernet

• Ethernet
• Wikipedia: arping

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze local IPv4 traffic.

• Wikipedia: IPv4

To prepare for this activity:

1. Start Windows.
2. Log in if necessary.
3. Install Wireshark.

To capture local IPv4 traffic:

1. Start a Wireshark capture.
2. Use ping <default gateway address> to ping the default gateway address.
3. Stop the Wireshark capture.

To analyze local IPv4 outbound traffic:

1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMP listed as the protocol. To view only ICMP traffic, type icmp (lower case) in the Filter box and press Enter.
2. Select the first ICMP packet, labeled Echo (ping) request.
3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Control Message Protocol frame.
4. Expand Ethernet II to view Ethernet details.
5. Observe the Destination field. This should contain the MAC address of your default gateway. You can use arp -a to confirm.
6. Observe the Source field. This should contain your MAC address. You can use ipconfig /all or getmac to confirm.
7. Observe the Type field. Notice that the type is 0x0800, indicating IP.
8. Expand Internet Protocol Version 4 to view IP details.
9. Observe the Source address. Notice that the source address is your IP address.
10. Observe the Destination address. Notice that the destination address is the default gateway IP address.

To analyze local IPv4 inbound traffic:

1. In the top Wireshark packet list pane, select the second ICMP packet, labeled Echo (ping) reply.
2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Control Message Protocol frame.
3. Expand Ethernet II to view Ethernet details.
4. Observe the Destination field. This should contain your MAC address.
5. Observe the Source field. This should contain the MAC address of your default gateway.
6. Observe the Type field. Notice that the type is 0x0800, indicating IP.
7. Expand Internet Protocol Version 4 to view IP details.
8. Observe the Source address. Notice that the source address is the default gateway IP address.
9. Observe the Destination address. Notice that the destination address is your IP address.
10. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

• Wireshark: User's Guide
• Wireshark: IPv4

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze remote IPv4 traffic.

• Wikipedia: IPv4

To prepare for this activity:

1. Start Windows.
2. Log in if necessary.
3. Install Wireshark.

To capture remote IPv4 traffic:

1. Start a Wireshark capture.
2. Use ping 8.8.8.8 to ping an Internet host by IP address.
3. Stop the Wireshark capture.

To analyze remote IPv4 outbound traffic:

1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMP listed as the protocol. To view only ICMP traffic, type icmp (lower case) in the Filter box and press Enter.
2. Select the first ICMP packet, labeled Echo (ping) request.
3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Control Message Protocol frame.
4. Expand Ethernet II to view Ethernet details.
5. Observe the Destination field. This should contain the MAC address of your default gateway. You can use arp -a to confirm. Notice that remote Internet layer traffic is processed as local Link layer traffic. The default gateway will route the packet to the Internet.
6. Observe the Source field. This should contain your MAC address. You can use ipconfig /all or getmac to confirm.
7. Observe the Type field. Notice that the type is 0x0800, indicating IP.
8. Expand Internet Protocol Version 4 to view IP details.
9. Observe the Source address. Notice that the source address is your IP address.
10. Observe the Destination address. Notice that the destination address is the Internet host IP address.

To analyze remote IPv4 inbound traffic:

1. In the top Wireshark packet list pane, select the second ICMP packet, labeled Echo (ping) reply.
2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Control Message Protocol frame.
3. Expand Ethernet II to view Ethernet details.
4. Observe the Destination field. This should contain your MAC address.
5. Observe the Source field. This should contain the MAC address of your default gateway. Notice that the remote Internet layer traffic is returned as local Link layer traffic. The routers between the Internet host and your network routed the packet back to your router so that it could forward the packet back to your computer.
6. Observe the Type field. Notice that the type is 0x0800, indicating IP.
7. Expand Internet Protocol Version 4 to view IP details.
8. Observe the Source address. Notice that the source address is the Internet host IP address.
9. Observe the Destination address. Notice that the destination address is your IP address.
10. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

• Wireshark: User's Guide
• Wireshark: IPv4

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze fragmented IPv4 traffic.

• Wikipedia: IPv4

To prepare for this activity:

1. Start Windows.
2. Log in if necessary.
3. Install Wireshark.

To capture fragmented IPv4 traffic:

1. Start a Wireshark capture.
2. Use ping -l 2500 <default gateway address> to ping the default gateway address with a 2,500 byte packet. Notice that because the default maximum transmission unit (MTU) for Ethernet frames is 1,500 bytes, this should generate fragmented packets.
3. Stop the Wireshark capture.

To analyze fragmented IPv4 outbound traffic:

1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMP listed as the protocol. To find only ICMP traffic, type icmp (lower case) in the Filter box and press Enter.
2. Select the first ICMP packet, labeled Echo (ping) request.
3. If you applied an icmp filter, clear the filter so you can see the IPv4 fragments.
4. Select the IPv4 packet immediately above the first ICMP packet.
5. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Control Message Protocol frame.
6. Expand Internet Protocol Version 4 to view IP details.
7. Expand Flags to view flag details.
8. Observe the More fragments field. Notice that it is set, indicating more fragments will follow.
9. Observe the Fragment offset field. Notice that it is 0, indicating this is the first fragment.
10. Observe the Total length and Header length fields. Subtract header length from total length to determine the size of this fragment.
11. In the top Wireshark packet list pane, select the next packet, labeled Echo (ping) request.
12. View IP details.
13. Observe the More fragments field. Notice that it is not set, indicating no more fragments will follow.
14. Observe the Fragment offset field. Notice that it is the same as the size calculated for the first fragment.
15. Observe the Total length and Header length fields. Subtract header length from total length to determine the size of this fragment.
16. Add the sizes of the two fragments together to determine total data length. It should be 2,508, indicating 2,500 bytes of ICMP data and an 8 byte ICMP header.

To analyze fragmented IPv4 inbound traffic:

1. In the top Wireshark packet list pane, select the second ICMP packet, labeled Echo (ping) reply.
2. Select the IPv4 packet immediately above the second ICMP packet.
3. View IP details.
4. Observe the More fragments field. Notice that it is set, indicating more fragments will follow.
5. Observe the Fragment offset field. Notice that it is 0, indicating this is the first fragment.
6. Observe the Total length and Header length fields. Subtract header length from total length to determine the size of this fragment.
7. In the top Wireshark packet list pane, select the next packet, labeled Echo (ping) reply.
8. View IP details.
9. Observe the More fragments field. Notice that it is not set, indicating no more fragments will follow.
10. Observe the Fragment offset field. Notice that it is the same as the size calculated for the first fragment.
11. Observe the Total length and Header length fields. Subtract header length from total length to determine the size of this fragment.
12. Add the sizes of the two fragments together to determine total data length. It should be 2,508, indicating 2,500 bytes of ICMP data and an 8 byte ICMP header.
13. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

• Wireshark: User's Guide
• Wireshark: IPv4

This lesson continues the Internet layer and looks at subnetworks, Classless Inter-Domain Routing (CIDR), subnetting, and supernetworks. Activities include IPv4 subnetting, and using the Cisco Subnet Game.

1. Wikipedia: Subnetwork
2. Wikipedia: IPv4 subnetting reference
3. Wikipedia: CIDR notation
4. Wikipedia: Classless Inter-Domain Routing
5. Wikipedia: Supernetwork

1. YouTube: Subnetting, Cisco CCNA, Binary Numbers - Part 1
2. YouTube: Subnetting, Cisco CCNA, Binary Numbers - Part 2
3. YouTube: Subnetting, Cisco CCNA, Binary Numbers - Part 3
4. YouTube: Subnetting, Cisco CCNA, Binary Numbers - Part 4
5. YouTube: Subnetting Cisco CCNA - Part 1 The Magic Number
6. YouTube: Subnetting Cisco CCNA - Part 2 The Magic Number
7. YouTube: Subnetting Cisco CCNA - Part 3 The Magic Number
8. YouTube: Subnetting Cisco CCNA - Part 4 The Magic Number
9. YouTube: Subnetting Cisco CCNA - Part 5 The Magic Number
10. YouTube: Subnetting Cisco CCNA - Part 6 The Magic Number

1. Review Cisco: IP Addressing and Subnetting for New Users.
2. Review Understanding TCP/IP addressing and subnetting basics.
3. Experiment with an online subnet calculator such as Online IP Subnet Calculator.
4. Generate practice subnetting questions using this Subnet Calculator.
5. Review EasySubnetting.com subnetting resources.
6. Play the Cisco: Subnet Troubleshooting Game.
7. Consider situations in which a packet analyzer might be used to troubleshoot subnetting and routing traffic.

• An IP address has two fields, a network prefix and a host identifier.^[1]
• The network prefix is identified using CIDR notation.^[2]
• In IPv4, the network prefix may also be identified using a 32-bit subnet mask in dotted-decimal notation.^[3]
• A network is divided into two or more subnetworks by dividing the host identifier field into separate subnet number and smaller host identifier fields.^[4]
• All hosts on a subnetwork have the same network prefix.^[5]
• Traffic between subnets is exchanged through a router.^[6]
• The first address on any given IPv4 network or subnet is reserved for the network itself.^[7]
• The last address on any given IPv4 network or subnet is reserved for broadcast.^[8]
• The separation of the network prefix/subnet number from the host identifier is performed by a bitwise AND operation between the IP address and the (sub)network mask.^[9]
• The number of subnetworks created by subnetting can be calculated as 2ⁿ, where n is the number of bits used for subnetting.^[10]
• The number of available hosts on each subnet can be calculated as 2ⁿ -2 ,where n is the number of bits available for the host identifier.^[11]
• The goal of Classless Inter-Domain Routing was to slow the growth of routing tables on routers across the Internet, and to help slow the rapid exhaustion of IPv4 addresses.^[12]
• Classless Inter-Domain Routing is based on variable-length subnet masking (VLSM), which allows a network to be divided into variously sized subnets, providing the opportunity to size a network more appropriately for local needs.^[13]
• The benefits of supernetting are conservation of address space and efficiencies gained in routers in terms of memory storage of route information and processing overhead when matching routes.^[14]

bitwise AND

A binary operation that takes two representations of equal length and performs the logical AND operation on each pair of corresponding bits. The result in each position is 1 if the first bit is 1 and the second bit is 1; otherwise, the result is 0.^[15]

CIDR notation

A compact specification of an Internet Protocol address and its associated routing prefix.^[16]

provider-independent address space

A block of IP addresses assigned by a regional Internet registry (RIR) directly to an end-user organization.^[17]

routing table

A data table stored in a router or a networked computer that lists the routes to particular network destinations, and in some cases, metrics (distances) associated with those routes.^[18]

subnet

A logically visible subdivision of an IP network.^[19]

subnet mask

A bitmask that encodes the (sub)network prefix length in dotted-decimal notation, starting with a number of 1 bits equal to the prefix length, ending with 0 bits, and encoded in four-part dotted-decimal format.^[20]

subnetting

The practice of dividing a network into two or more networks.^[21]

supernet

An Internet Protocol (IP) network that is formed from the combination of two or more networks (or subnets) with a common Classless Inter-Domain Routing (CIDR) prefix.^[22]

Click on a question to see the answer.

1. An IP address has two fields, _____.

   An IP address has two fields, a network prefix and a host identifier.
2. The network prefix is identified using _____.

   The network prefix is identified using CIDR notation.
3. In IPv4, in addition to using CIDR notation, the network prefix may be identified using _____.

   In IPv4, in addition to using CIDR notation, the network prefix may be identified using a 32-bit subnet mask in dotted-decimal notation.
4. A network is divided into two or more subnetworks by dividing _____.

   A network is divided into two or more subnetworks by dividing the host identifier field into separate subnet number and smaller host identifier fields.
5. All hosts on a subnetwork have the same _____.

   All hosts on a subnetwork have the same network prefix.
6. Traffic between subnets is exchanged through a _____.

   Traffic between subnets is exchanged through a router.
7. The first address on any given network or subnet is reserved for _____.

   The first address on any given IPv4 network or subnet is reserved for the network itself.
8. The last address on any given IPv4 network or subnet is reserved for _____.

   The last address on any given IPv4 network or subnet is reserved for broadcast.
9. The separation of the network prefix/subnet number from the host identifier is performed by _____.

   The separation of the network prefix/subnet number from the host identifier is performed by a bitwise AND operation between the IP address and the (sub)network mask.
10. The number of subnetworks created by subnetting can be calculated as _____.

    The number of subnetworks created by subnetting can be calculated as 2ⁿ, where n is the number of bits used for subnetting.
11. The number of available hosts on each subnet can be calculated as _____.

    The number of available hosts on each subnet can be calculated as 2^n-2, where n is the number of bits available for the host identifier.
12. The goal of Classless Inter-Domain Routing was to _____.

    The goal of Classless Inter-Domain Routing was to slow the growth of routing tables on routers across the Internet, and to help slow the rapid exhaustion of IPv4 addresses.
13. Classless Inter-Domain Routing is based on _____.

    Classless Inter-Domain Routing is based on variable-length subnet masking (VLSM).
14. The benefits of supernetting are _____.

    The benefits of supernetting are conservation of address space and efficiencies gained in routers in terms of memory storage of route information and processing overhead when matching routes.

• Lesson Flashcards
• Terms Flashcards
• Quiz

This lesson continues the Internet layer and looks at IPv6 and a variety of IPv6 transition technologies. Activities include using Wireshark to examine IPv6 network traffic.

1. Wikipedia: IPv6
2. Wikipedia: Link-local address
3. Wikipedia: Teredo tunneling
4. Wikipedia: ISATAP
5. Wikipedia: 6to4
6. Wikipedia: 6in4
7. Wikipedia: NAT64

1. YouTube: An overview of IPv4 and IPv6 - CompTIA Network+ N10-005: 1.3
2. YouTube: IPv6 Transition Technology

1. Use netsh to configure IPv6 settings.
2. Use Wireshark to capture and analyze local IPv6 traffic.
3. Use Wireshark to capture and analyze remote IPv6 traffic.
4. Use Wireshark to capture and analyze IPv6 Teredo traffic.
5. Use Wireshark to capture and analyze IPv6 6to4 traffic.
6. Use Wireshark to capture and analyze IPv6 6in4 traffic.
7. Consider situations in which a packet analyzer might be used to troubleshoot IPv6 traffic.

• IPv6 is an Internet-layer protocol for packet-switched internetworking and provides end-to-end datagram transmission across multiple IP networks.^[1]
• IPv6 was developed by the Internet Engineering Task Force (IETF) to deal with the long-anticipated problem of running out of IPv4 addresses.^[2]
• IPv6 uses 128-bit addresses, commonly displayed to users as eight groups of four hexadecimal digits separated by colons.^[3]
• In an IPv6 address, leading zeroes may be removed from any group of hexadecimal digits. Multiple consecutive groups of zeroes may be replaced with a double colon (::).^[4]
• The IPv6 subnet size has been standardized by fixing the size of the host identifier portion of an address to 64 bits.^[5]
• IPv6 does not implement interoperability features with IPv4, but essentially creates a parallel, independent network. Exchanging traffic between the two networks requires special translator gateways.^[6]
• Work on IPv6 began by 1992, and was first published in a series of RFCs in 1996.^[7]
• Most transport and application-layer protocols need little or no change to operate over IPv6.^[8]
• Multicasting is part of the base specification in IPv6. IPv6 does not implement traditional IP broadcast and does not define broadcast addresses.^[9]
• IPv6 hosts can configure themselves automatically when connected to a routed IPv6 network using the Neighbor Discovery Protocol via Internet Control Message Protocol version 6 (ICMPv6) router discovery messages.^[10]
• IPv6 routers do not perform fragmentation.^[11]
• Privacy extensions for IPv6 allow the operating system to generate ephemeral IP addresses by concatenating a randomly generated host identifier with the assigned network prefix for communication with remote hosts.^[12]
• The IPv6 header consists of a fixed portion with minimal functionality required for all packets and may be followed by optional extensions to implement special features. The fixed header requires 40 octets (320 bits) and contains the source and destination addresses, traffic classification options, a hop counter, and the type of the optional extension or payload which follows the fixed header.^[13]
• The IPv6 loopback address is ::1.^[14]
• Link-local addresses begin with fe80::/10.^[15]
• Tunneling may be used to enable IPv4 networks to communicate with IPv6 networks. In tunneling, IPv6 packets are encapsulated within IPv4 packets, in effect using IPv4 as a link layer for IPv6.^[16]
• Teredo is an automatic inter-site tunneling technique that uses UDP encapsulation and can cross Network Address Translation (NAT) nodes.^[17] Teredo addresses begin with 2001:0::/32.^[18]
• ISATAP is an automatic intra-site tunneling technique that uses IPv4 encapsulation. It cannot cross NAT nodes.^[19]ISATAP addresses begin with fe80::200:5efe/96.^[20]
• 6to4 is an automatic inter-site tunneling technique that uses IPv4 encapsulation. It cannot cross NAT nodes.^[21] 6to4 addresses begin with 2002::/16 and relay through 192.88.99.1.^[22]
• 6in4 is a configured inter-site tunneling technique that uses IPv4 encapsulation. It can cross NAT nodes with proper configuration.^[23] 6in4 addresses are public addresses assigned by the tunnel broker, and therefore create security risks.^[24]
• NAT64 is a network address translation technique that allows IPv6-only hosts to communicate with IPv4-only servers. NAT64 server addresses begin with 64:ff9b::/96.^[25]

anycast

A network addressing and routing methodology in which datagrams from a single sender are routed to the topologically nearest node in a group of potential receivers, though it may be sent to several nodes, all identified by the same destination address.^[26]

Data Over Cable Service Interface Specification (DOCSIS)

An international telecommunications standard that permits the addition of high-speed data transfer to an existing cable TV (CATV) system.^[27]

end-to-end principle

A classic computer network design principle which states that application-specific functions ought to reside in the end hosts of a network rather than in intermediary nodes – provided they can be implemented completely and correctly in the end hosts.^[28]

hop count

A count of the intermediate devices (routers) through which data must pass between source and destination.^[29]

jumbogram

An internet layer packet exceeding the standard Maximum Transmission Unit (MTU) of the underlying network technology.^[30]

Mobile IP

An Internet Engineering Task Force (IETF) standard communications protocol that is designed to allow mobile device users to move from one network to another while maintaining a permanent IP address.^[31]

Path MTU Discovery (PMTUD)

A standardized technique for determining the maximum transmission unit (MTU) size on the network path between two Internet Protocol (IP) hosts.^[32]

proxy server

A computer system or application that acts as an intermediary for requests from clients seeking resources from other servers.^[33]

Quality of Service (QoS)

The ability to provide different priority to different applications, users, or data flows, or to guarantee a certain level of performance to a data flow.^[34]

Stateless Address Autoconfiguration (SLAAC)

A method by which a node automatically creates a link-local address with the prefix fe80::/64 on each IPv6-enabled interface, even if globally routable addresses are manually configured or obtained through configuration protocols.^[35]

tunneling protocol

The use of one network protocol (the delivery protocol) to encapsulate a different payload protocol.^[36]

World IPv6 Launch

The Internet Society declared June 6, 2012 to be the date for "World IPv6 Launch", with participating major websites enabling IPv6 permanently, participating ISPs offering IPv6 connectivity, and participating router manufacturers offering devices enabled for IPv6 by default.^[37]

Click on a question to see the answer.

1. IPv6 is an _____-layer protocol for packet-switched internetworking and provides end-to-end datagram transmission across multiple IP networks.

   IPv6 is an Internet-layer protocol for packet-switched internetworking and provides end-to-end datagram transmission across multiple IP networks.
2. IPv6 was developed by the Internet Engineering Task Force (IETF) to deal with the long-anticipated problem of _____.

   IPv6 was developed by the Internet Engineering Task Force (IETF) to deal with the long-anticipated problem of running out of IPv4 addresses.
3. IPv6 uses _____-bit addresses, commonly displayed to users as _____ groups of _____ hexadecimal digits separated by _____.

   IPv6 uses 128-bit addresses, commonly displayed to users as eight groups of four hexadecimal digits separated by colons.
4. In an IPv6 address, leading zeroes may be removed from any group of hexadecimal digits. Multiple consecutive groups of zeroes may be replaced with _____.

   In an IPv6 address, leading zeroes may be removed from any group of hexadecimal digits. Multiple consecutive groups of zeroes may be replaced with a double colon (::).
5. The IPv6 subnet size has been standardized by fixing the size of the host identifier portion of an address to _____ bits.

   The IPv6 subnet size has been standardized by fixing the size of the host identifier portion of an address to 64 bits.
6. IPv6 does not implement interoperability features with IPv4, but essentially creates a _____. Exchanging traffic between the two networks requires special translator _____.

   IPv6 does not implement interoperability features with IPv4, but essentially creates a parallel, independent network. Exchanging traffic between the two networks requires special translator gateways.
7. Work on IPv6 began by _____, and was first published in a series of RFCs in _____.

   Work on IPv6 began by 1992, and was first published in a series of RFCs in 1996.
8. Most transport and application-layer protocols need _____ to operate over IPv6.

   Most transport and application-layer protocols need little or no change to operate over IPv6.
9. Multicasting is part of the base specification in IPv6. IPv6 does not implement traditional IP _____ and does not define _____.

   Multicasting is part of the base specification in IPv6. IPv6 does not implement traditional IP broadcast and does not define broadcast addresses.
10. IPv6 hosts can configure themselves automatically when connected to a routed IPv6 network using the _____ via Internet Control Message Protocol version 6 (ICMPv6) router discovery messages.

    IPv6 hosts can configure themselves automatically when connected to a routed IPv6 network using the Neighbor Discovery Protocol via Internet Control Message Protocol version 6 (ICMPv6) router discovery messages.
11. IPv6 routers do not perform _____.

    IPv6 routers do not perform fragmentation.
12. Privacy extensions for IPv6 allow the operating system to generate _____ for communication with remote hosts.

    Privacy extensions for IPv6 allow the operating system to generate ephemeral IP addresses by concatenating a randomly generated host identifier with the assigned network prefix for communication with remote hosts.
13. The IPv6 header consists of a fixed portion with minimal functionality required for all packets and may be followed by optional extensions to implement special features. The fixed header requires _____ octets (_____ bits) and contains _____.

    The IPv6 header consists of a fixed portion with minimal functionality required for all packets and may be followed by optional extensions to implement special features. The fixed header requires 40 octets (320 bits) and contains the source and destination addresses, traffic classification options, a hop counter, and the type of the optional extension or payload which follows the fixed header.
14. The IPv6 loopback address is _____.

    The IPv6 loopback address is ::1.
15. Link-local addresses begin with _____.

    Link-local addresses begin with the prefix fe80::/10.
16. Tunneling may be used to enable IPv4 networks to communicate with IPv6 networks. In tunneling, _____ packets are encapsulated within _____ packets, in effect using _____ as a _____ layer for _____.

    Tunneling may be used to enable IPv4 networks to communicate with IPv6 networks. In tunneling, IPv6 packets are encapsulated within IPv4 packets, in effect using IPv4 as a link layer for IPv6.
17. Teredo is an _____ _____-site tunneling technique that uses _____ encapsulation and _____ cross Network Address Translation (NAT) nodes.

    Teredo is an automatic inter-site tunneling technique that uses UDP encapsulation and can cross Network Address Translation (NAT) nodes.
18. Teredo addresses begin with _____.

    Teredo addresses begin with 2001:0::/32.
19. ISATAP is an _____ _____-site tunneling technique that uses _____ encapsulation. It _____ cross NAT nodes.

    ISATAP is an automatic intra-site tunneling technique that uses IPv4 encapsulation. It cannot cross NAT nodes.
20. ISATAP addresses begin with _____.

    ISATAP addresses begin with fe80::200:5efe/96.
21. 6to4 is an _____ _____-site tunneling technique that uses _____ encapsulation. It _____ cross NAT nodes.

    6to4 is an automatic inter-site tunneling technique that uses IPv4 encapsulation. It cannot cross NAT nodes.
22. 6to4 addresses begin with _____ and relay through _____.

    6to4 addresses begin with 2002::/16 and relay through 192.88.99.1.
23. 6in4 is a _____ _____-site tunneling technique that uses _____ encapsulation. It _____ cross NAT nodes.

    6in4 is a configured inter-site tunneling technique that uses IPv4 encapsulation. It can cross NAT nodes.
24. 6in4 addresses are _____ addresses assigned by the tunnel broker, and therefore create security risks.

    6in4 addresses are public addresses assigned by the tunnel broker, and therefore create security risks.
25. NAT64 is a _____ that allows _____-only hosts to communicate with _____-only servers.

    NAT64 is a network address translation technique that allows IPv6-only hosts to communicate with IPv4-only servers.
26. NAT64 server addresses begin with _____.

    NAT64 server addresses begin with 64:ff9b::/96.

• Lesson Flashcards
• Terms Flashcards
• Quiz

Netsh is a Windows command used to display and modify the network configuration of a currently running local or remote computer. These activities will show you how to use the netsh command to configure IPv6 settings.

Note: To complete this activity, you must have an administrative user account or know the username and password of an administrator account you can enter when prompted.

To prepare for this activity:

1. Start Windows.
2. Log in if necessary.

To display IPv6 information:

1. Open an elevated/administrator command prompt.
2. Use ipconfig to display IP address information. Observe the results. If IPv6 is enabled, you should see one or more IPv6 addresses. A typical Windows 7 computer has a Link-local IPv6 Address, an ISATAP tunnel adapter with media disconnected, and a Teredo tunnel adapter. Link-local addresses begin with fe80::/10. ISATAP addresses are specific link-local addresses beginning with fe80::200:5efe/96. Teredo addresses begin with 2001:0::/32.
3. Type netsh interface ipv6 show interfaces and press Enter. Observe the results listing the interfaces on which IPv6 is enabled. Note that all netsh parameters may be abbreviated, as long as the abbreviation is a unique parameter. netsh interface ipv6 show interfaces may be entered as netsh i ipv6 sh i.
4. Type netsh interface ipv6 show addresses and press Enter. Observe the results listing the interface IPv6 addresses.
5. Type netsh interface ipv6 show destinationcache and press Enter. Observe the results listing recent IPv6 destinations.
6. Type netsh interface ipv6 show dnsservers and press Enter. Observe the results listing IPv6 DNS server settings.
7. Type netsh interface ipv6 show neighbors and press Enter. Observe the results listing IPv6 neighbors. This is similar to the IPv4 ARP cache.
8. Type netsh interface ipv6 show route and press Enter. Observe the results listing IPv6 route information.

To disable Teredo:

1. Type netsh interface teredo set state disabled and press Enter.
2. Use ipconfig to confirm that Teredo was disabled.

To disable ISATAP:

1. Type netsh interface isatap set state disabled and press Enter.
2. Use ipconfig to confirm that ISATAP was disabled.

To enable 6to4:

1. Type netsh interface 6to4 set state enabled and press Enter.
2. Use ipconfig to confirm that 6to4 was enabled.

Note that 6to4 will show media disconnected if you have a private IP address.

To disable 6to4:

1. Type netsh interface 6to4 set state disabled and press Enter.
2. Use ipconfig to confirm that 6to4 was disabled.

To enable a functioning 6in4 tunnel, you must register with a tunnel broker:

1. Visit http://tunnelbroker.net.
2. Register with the service.
3. Complete the NewB certification.
4. Create a Regular Tunnel. Fill in the necessary information.
5. View Example Configurations. Select your operating system. For recent Windows operating systems, the netsh command sequence would be similar to:
   • netsh interface ipv6 add v6v4tunnel IP6Tunnel <your IPv4 address> <tunnel broker IPv4 address>
   • netsh interface ipv6 add address IP6Tunnel <your given IPv6 address>
   • netsh interface ipv6 add route ::/0 IP6Tunnel <your given IPv6 gateway address>
6. Use ipconfig to confirm that a 6in4 tunnel was created.

1. Type netsh interface ipv6 show interface and press Enter.
2. Identify the interface ID of the 6in4 tunnel created in Activity 6.
3. Type netsh interface ipv6 delete interface id, where id is the ID number of the 6in4 tunnel. Then press Enter.
4. Use ipconfig to confirm that the 6in4 tunnel was deleted.

To enable Teredo:

1. Type netsh interface teredo set state default and press Enter.
2. Use ipconfig to confirm that Teredo was enabled.

To enable ISATAP:

1. Type netsh interface isatap set state enabled and press Enter.
2. Use ipconfig to confirm that ISATAP was enabled.
3. Close the command prompt to complete this activity.

To reset IPv6:

1. Type netsh interface ipv6 reset and press Enter.
2. Close the command prompt and restart the computer to complete this activity.

• Wikipedia: IPv6
• Wikipedia: Teredo
• Wikipedia: ISATAP
• Wikipedia: 6to4
• Wikipedia: 6in4

• Microsoft TechNet: Netsh commands for Interface IPv4 and IPv6
• Hurricane Electric Free IPv6 Tunnel Broker

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze local IPv6 traffic.

• Wikipedia: IPv6

To prepare for this activity:

1. Start Windows.
2. Log in if necessary.
3. Install Wireshark.

To capture local IPv6 traffic:

1. Use ipconfig to display the default gateway address. Note the Default Gateway displayed. Be sure to select an IPv6 address. If you don't have an IPv6 default gateway, just review the following instructions for content understanding.
2. Start a Wireshark capture.
3. Use ping <default gateway address> to ping the default gateway IPv6 address.
4. Stop the Wireshark capture.

To analyze local IPv6 outbound traffic:

1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMPv6 listed as the protocol. To view only ICMPv6 traffic, type icmpv6 (lower case) in the Filter box and press Enter.
2. Select the first ICMPv6 packet or scroll down if necessary to locate the first packet labeled Echo (ping) request.
3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame.
4. Expand Ethernet II to view Ethernet details.
5. Observe the Destination field. This should contain the MAC address of your default gateway. You can use netsh interface ipv6 show neighbors to confirm.
6. Observe the Source field. This should contain your MAC address. You can use ipconfig /all or getmac to confirm.
7. Observe the Type field. Notice that the type is 0x86dd, indicating IPv6.
8. Expand Internet Protocol Version 6 to view IPv6 details.
9. Observe the Source address. Notice that the source address is your IPv6 address.
10. Observe the Destination address. Notice that the destination address is the default gateway IPv6 address.

To analyze local IPv6 inbound traffic:

1. In the top Wireshark packet list pane, select the next ICMPv6 packet, labeled Echo (ping) reply.
2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame.
3. Expand Ethernet II to view Ethernet details.
4. Observe the Destination field. This should contain your MAC address.
5. Observe the Source field. This should contain the MAC address of your default gateway.
6. Observe the Type field. Notice that the type is 0x86dd, indicating IP.
7. Expand Internet Protocol Version 6 to view IPv6 details.
8. Observe the Source address. Notice that the source address is the default gateway IPv6 address.
9. Observe the Destination address. Notice that the destination address is your IPv6 address.
10. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

• Wireshark: User's Guide
• Wireshark: IPv4

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze remote IPv6 traffic.

• Wikipedia: IPv6

To prepare for this activity:

1. Start Windows.
2. Log in if necessary.
3. Install Wireshark.

To capture remote IPv6 traffic:

1. Start a Wireshark capture.
2. Use ping 2001:4860:4860::8888 to ping an Internet host by IPv6 address.
3. Stop the Wireshark capture.

To analyze remote IPv6 outbound traffic:

1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMPv6 listed as the protocol. To view only ICMPv6 traffic, type icmpv6 (lower case) in the Filter box and press Enter.
2. Select the first ICMPv6 packet, labeled Echo (ping) request.
3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame.
4. Expand Ethernet II to view Ethernet details.
5. Observe the Destination field. This should contain the MAC address of your default gateway. You can use netsh interface ipv6 show neighbors to confirm. Notice that remote Internet layer traffic is processed as local Link layer traffic. The default gateway will route the packet to the Internet.
6. Observe the Source field. This should contain your MAC address. You can use ipconfig /all or getmac to confirm.
7. Observe the Type field. Notice that the type is 0x86dd, indicating IPv6.
8. Expand Internet Protocol Version 6 to view IPv6 details.
9. Observe the Source address. Notice that the source address is your IPv6 address.
10. Observe the Destination address. Notice that the destination address is the Internet host IPv6 address.

To analyze remote IPv6 inbound traffic:

1. In the top Wireshark packet list pane, select the next ICMPv6 packet, labeled Echo (ping) reply.
2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame.
3. Expand Ethernet II to view Ethernet details.
4. Observe the Destination field. This should contain your MAC address.
5. Observe the Source field. This should contain the MAC address of your default gateway. Notice that the remote Internet layer traffic is returned as local Link layer traffic. The routers between the Internet host and your network routed the packet back to your router so that it could forward the packet back to your computer.
6. Observe the Type field. Notice that the type is 0x86dd, indicating IPv6.
7. Expand Internet Protocol Version 6 to view IPv6 details.
8. Observe the Source address. Notice that the source address is the Internet host IPv6 address.
9. Observe the Destination address. Notice that the destination address is your IPv6 address.
10. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

• Wireshark: User's Guide
• Wireshark: IPv6

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze IPv6 Teredo traffic. Note: These activities do not require an IPv6 Internet connection. Teredo tunnels across IPv4.

• Wikipedia: IPv6
• Wikipedia: Teredo tunneling

To prepare for this activity:

1. Start Windows.
2. Log in if necessary.
3. Install Wireshark.
4. Enable Teredo if necessary.

To capture IPv6 Teredo traffic:

1. Use ipconfig /all to verify that you have a Teredo tunnel adapter. If not, simply read along to understand the following concepts.
2. Start a Wireshark capture.
3. Use ping 2001:4860:4860::8888 to ping an Internet host by IPv6 address.
4. Stop the Wireshark capture.

To analyze IPv6 Teredo traffic:

1. Observe the traffic captured in the top Wireshark packet list pane. Type teredo (lower case) in the Filter box and press Enter to select Teredo traffic.
2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Teredo IPv6 Over UDP Tunneling / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame. The IPv6 / ICMPv6 packets are encapsulated inside IPv4 / UDP packets and forwarded to a Teredo server for IPv6 forwarding.
3. Expand Internet Protocol Version 6 and identify the Source Teredo Port number.
4. Modify the Filter box to teredo || udp.port == <Teredo port number>. For example, if the port number was 54321, you would enter a filter of teredo || udp.port == 54321. Then press Enter.
5. Observe the IPv6 Teredo traffic.
6. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

• Wireshark: User's Guide

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze IPv6 6to4 traffic. Note: These activities do not require an IPv6 Internet connection. 6to4 tunnels across IPv4.

• Wikipedia: IPv6
• Wikipedia: 6to4

To prepare for this activity:

1. Start Windows.
2. Log in if necessary.
3. Install Wireshark.
4. Enable 6to4 if necessary.

To capture IPv6 6to4 traffic:

1. Use ipconfig /all to verify that you have a 6TO4 tunnel adapter. If not, simply read along to understand the following concepts.
2. Start a Wireshark capture.
3. Use ping 2001:4860:4860::8888 to ping an Internet host by IPv6 address.
4. Stop the Wireshark capture.

To analyze IPv6 6to4 traffic:

1. Observe the traffic captured in the top Wireshark packet list pane. Type ipv6.addr == 2001:4860:4860::8888 (lower case) in the Filter box and press Enter to select the generated traffic.
2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame. The IPv6 / ICMPv6 packets are encapsulated inside IPv4 packets and forwarded to the 6to4 relay at 192.88.99.1 for IPv6 forwarding.
3. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

• Wireshark: User's Guide

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze IPv6 6in4 traffic. Note: These activities do not require an IPv6 Internet connection. 6in4 tunnels across IPv4.

• Wikipedia: IPv6
• Wikipedia: 6in4

To prepare for this activity:

1. Start Windows.
2. Log in if necessary.
3. Install Wireshark.
4. Establish an IPv6 6in4 tunnel.

To capture IPv6 6in4 traffic:

1. Use ipconfig /all to verify that you have an IPv6 tunnel adapter. If not, simply read along to understand the following concepts.
2. Start a Wireshark capture.
3. Use ping 2001:4860:4860::8888 to ping an Internet host by IPv6 address.
4. Stop the Wireshark capture.

To analyze IPv6 6in4 traffic:

1. Observe the traffic captured in the top Wireshark packet list pane. Type ipv6.addr == 2001:4860:4860::8888 (lower case) in the Filter box and press Enter to select the generated traffic.
2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame. The IPv6 / ICMPv6 packets are encapsulated inside IPv4 packets and forwarded to a 6in4 IPv6 server for IPv6 forwarding.
3. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

• Wireshark: User's Guide

This lesson continues the Internet layer and looks at the Internet Control Message Protocol (ICMP and ICMPv6). Activities include using Wireshark to examine ICMP and ICMPv6 network traffic.

1. Wikipedia: Internet Control Message Protocol
2. Wikipedia: ICMPv6
3. Wikipedia: Path MTU Discovery

1. YouTube: ICMP Packet Capture with Michael Gregg

1. Review Wireshark: Internet Control Message Protocol (ICMP).^[1]
2. Use Wireshark to capture and analyze ICMP Echo traffic.
3. Use Wireshark to capture and analyze ICMP Time Exceeded traffic.
4. Use Wireshark to capture and analyze ICMP tracert/traceroute traffic.
5. Review Wireshark: ICMPv6.
6. Use Wireshark to capture and analyze ICMPv6 Echo traffic.
7. Use Wireshark to capture and analyze ICMPv6 Time Exceeded traffic.
8. Use Wireshark to capture and analyze ICMPv6 tracert/traceroute traffic.
9. Use ping to determine local network MTU.
10. Use ping to determine Path MTU to an Internet host such as Google's public DNS server 8.8.8.8.

    Note that Internet routers frequently drop large ICMP packets to prevent Denial of Service attacks, so it may not be possible to capture ICMPv6 Packet Too Big messages with this approach.

11. Consider situations in which a packet analyzer might be used to troubleshoot ICMP traffic.

• ICMP is a core protocol operating in the Internet layer of the Internet Protocol Suite.^[2]
• ICMP messages are used for diagnostic or control purposes or generated in response to errors in IP operations.^[1]
• ICMP messages may be classified into two categories: error messages and information messages.^[3]
• ICMP errors are directed to the source IP address of the originating packet.^[4]
• ICMPv6 is an integral part of IPv6 and performs error reporting, diagnostic functions (e.g., ping), and provides a framework for extensions to implement future changes.^[5]
• ICMPv6 error messages include Destination Unreachable, Packet Too Big, Time Exceeded, and Parameter Problem.^[6]
• ICMPv6 informational messages include Echo Request, Echo Reply, and a variety of multicast messages that will be covered in the next lesson.^[7]
• The tracert (traceroute) and Pathping commands are implemented by transmitting datagrams with specially set IP TTL header fields and looking for ICMP Time Exceeded and Destination Unreachable messages generated in response.^[8]
• The ping utility is implemented using ICMP Echo Request and Echo Reply messages.^[9]
• Path MTU Discovery in IPv4 is performed by routers and supported through fragmentation.^[10]
• Path MTU Discovery in IPv6 must be performed by the sending host, because IPv6 routers do not support fragmentation.^[11]

Destination Unreachable

An ICMP error message which is generated by the host or its inbound gateway to inform the client that the destination is unreachable for some reason.^[12]

Echo Reply

An ICMP informational message response to an echo request.^[13]

Echo Request

An ICMP informational message whose data is expected to be received back in an echo reply.^[14]

Packet Too Big

An ICMP error message which is generated by a gateway to inform the source of a discarded datagram due to the size being too large for the link layer.^[15]

Parameter Problem

An ICMP error message which is generated by a host to inform the source of a problem with a field in the IPv6 header or extension headers of a packet that has been discarded.^[16]

Path MTU Discovery (PMTUD)

A standardized technique in computer networking for determining the maximum transmission unit (MTU) size on the network path between two Internet Protocol (IP) hosts, usually with the goal of avoiding IP fragmentation.^[17]

Redirect Message

An ICMP message which informs a host to update its routing information (to send packets on an alternate route).^[18]

Source Quench

An ICMP message which requests that the sender decrease the rate of messages sent to a router or host.^[19]

Time Exceeded

An ICMP error message which is generated by a gateway to inform the source of a discarded datagram due to the time to live / hop count field reaching zero.^[20]

Click on a question to see the answer.

1. ICMP is a core protocol operating in the _____ layer of the Internet Protocol Suite.

   ICMP is a core protocol operating in the Internet layer of the Internet Protocol Suite.
2. ICMP messages are used for _____.

   ICMP messages are used for diagnostic or control purposes or generated in response to errors in IP operations.
3. ICMP messages may be classified into two categories: _____ and _____.

   ICMP messages may be classified into two categories: error messages and information messages.
4. ICMP errors are directed to _____.

   ICMP errors are directed to the source IP address of the originating packet.
5. ICMPv6 is an integral part of IPv6 and performs _____, and provides _____.

   ICMPv6 is an integral part of IPv6 and performs error reporting, diagnostic functions (e.g., ping), and provides a framework for extensions to implement future changes.
6. ICMPv6 error messages include _____.

   ICMPv6 error messages include Destination Unreachable, Packet Too Big, Time Exceeded, and Parameter Problem.
7. ICMPv6 informational messages include _____.

   ICMPv6 informational messages include Echo Request, Echo Reply, and a variety of multicast messages.
8. The _____ utilities are implemented by transmitting datagrams with specially set IP TTL header fields and looking for ICMP Time Exceeded and Destination Unreachable messages generated in response.

   The tracert (traceroute) and Pathping utilities are implemented by transmitting datagrams with specially set IP TTL header fields and looking for ICMP Time Exceeded and Destination Unreachable messages generated in response.
9. The _____ utility is implemented using ICMP Echo Request and Echo Reply messages.

   The ping utility is implemented using ICMP Echo Request and Echo Reply messages.
10. Path MTU Discovery in _____ is performed by routers.

    Path MTU Discovery in IPv4 is performed by routers.
11. Path MTU Discovery in _____ must be performed by the sending host.

    Path MTU Discovery in IPv6 must be performed by the sending host.
12. ICMP stands for _____.

    ICMP stands for Internet Control Message Protocol.

• Lesson Flashcards
• Terms Flashcards
• Quiz

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Internet Control Message Protocol (ICMP) Echo traffic.

• Wikipedia: Internet Control Message Protocol

To prepare for this activity:

1. Start Windows.
2. Log in if necessary.
3. Install Wireshark.

To capture ICMP Echo traffic:

1. Start a Wireshark capture.
2. Use ping <default gateway address> to ping the default gateway address.
3. Stop the Wireshark capture.

To analyze ICMP Echo Request traffic:

1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMP listed as the protocol. To view only ICMP traffic, type icmp (lower case) in the Filter box and press Enter.
2. Select the first ICMP packet, labeled Echo (ping) request.
3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Control Message Protocol frame.
4. Expand Internet Control Message Protocol to view ICMP details.
5. Observe the Type. Notice that the type is 8 (Echo (ping) request).
6. Select Data in the middle Wireshark packet details pane to highlight the data portion of the frame.
7. Observe the packet contents in the bottom Wireshark packet bytes pane. Notice that Windows sends an alphabet sequence during ping requests.

To analyze ICMP Echo Reply traffic:

1. In the top Wireshark packet list pane, select the second ICMP packet, labeled Echo (ping) reply.
2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Control Message Protocol frame.
3. Expand Internet Control Message Protocol to view ICMP details.
4. Observe the Type. Notice that the type is 0 (Echo (ping) reply).
5. Select Data in the middle Wireshark packet details pane to highlight the data portion of the frame.
6. Observe the packet contents in the bottom Wireshark packet bytes pane. Notice that the reply echoes the request sequence.
7. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

• Wireshark: User's Guide
• Wireshark: Internet Control Message Protocol

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Internet Control Message Protocol (ICMP) Time Exceeded traffic.

• Wikipedia: Internet Control Message Protocol

To prepare for this activity:

1. Start Windows.
2. Log in if necessary.
3. Install Wireshark.

To capture ICMP Time Exceeded traffic:

1. Start a Wireshark capture.
2. Use ping -i 1 8.8.8.8 to ping one of Google's public DNS servers with a Time To Live setting of 1.
3. Stop the Wireshark capture.

To analyze ICMP Echo Request traffic:

1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMP listed as the protocol. To view only ICMP traffic, type icmp (lower case) in the Filter box and press Enter.
2. Select the first ICMP packet, labeled Echo (ping) request.
3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Control Message Protocol frame.
4. Expand Internet Protocol Version 4 to view IPv4 details.
5. Observe the Time to live. Notice that the time to live is set to 1.
6. Expand Internet Control Message Protocol to view ICMP details.
7. Observe the Type. Notice that the type is 8 (Echo (ping) request).
8. Select Data in the middle Wireshark packet details pane to highlight the data portion of the frame.
9. Observe the packet contents in the bottom Wireshark packet bytes pane. Notice that Windows sends an alphabet sequence during ping requests.

To analyze ICMP Time Exceeded traffic:

1. In the top Wireshark packet list pane, select the second ICMP packet, labeled Time-to-live exceeded.
2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Control Message Protocol frame.
3. Expand Internet Protocol Version 4 to view IPv4 details.
4. Observe the Source. This is the IP address of the router where the time was exceeded.
5. Expand Internet Control Message Protocol to view ICMP details.
6. Observe the Type. Notice that the type is 11 (Time-to-live exceeded).
7. Observe the Code. Notice that the code is 0 (Time to live exceeded in transit).
8. Observe the fields that follow. Notice that the contents of the request packet are returned with the time exceeded error.
9. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

• Wireshark: User's Guide
• Wireshark: Internet Control Message Protocol

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze tracert/traceroute traffic. Tracing routes is accomplished through the use of Internet Control Message Protocol (ICMP) Time Exceeded.

• Wikipedia: Internet Control Message Protocol

To prepare for this activity:

1. Start Windows.
2. Log in if necessary.
3. Install Wireshark.

To capture ICMP tracert traffic:

1. Start a Wireshark capture.
2. Open a command prompt.
3. Type tracert -d 8.8.8.8 and press Enter to trace the route to one of Google's public DNS servers. The -d option prevents DNS name resolution, which in this case will improve performance and reduce the amount of captured traffic.
4. When the trace is complete, close the command prompt.
5. Stop the Wireshark capture.

To analyze tracert traffic:

1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMP listed as the protocol. To view only ICMP traffic, type icmp (lower case) in the Filter box and press Enter.
2. Select the first ICMP packet, labeled Echo (ping) request.
3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Control Message Protocol frame.
4. Expand Internet Protocol Version 4 to view IPv4 details.
5. Observe the Time to live. Notice that the time to live is set to 1.
6. Expand Internet Control Message Protocol to view ICMP details.
7. Observe the Type. Notice that the type is 8 (Echo (ping) request). Tracert is performed through a series of ICMP Echo requests, varying the Time-To-Live (TTL) until the destination is found.
8. In the top Wireshark packet list pane, select the second ICMP packet, labeled Time-to-live exceeded.
9. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Control Message Protocol frame.
10. Expand Internet Protocol Version 4 to view IPv4 details.
11. Observe the Source. This is the IP address of the router where the time was exceeded.
12. Expand Internet Control Message Protocol to view ICMP details.
13. Observe the Type. Notice that the type is 11 (Time-to-live exceeded).
14. Observe the Code. Notice that the code is 0 (Time to live exceeded in transit).
15. Observe the fields that follow. Notice that the contents of the request packet are returned with the time exceeded error.
16. Continue selecting alternate ICMP Echo Request and ICMP Time-To-Live Exceeded packets. Notice that the request is repeated three times for each time-to-live count, and each reply indicates the IP address of the router where the time to live was exceeded.
17. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

• Wireshark: User's Guide
• Wireshark: Internet Control Message Protocol

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Internet Control Message Protocol Version 6 (ICMPv6) Echo traffic.

• Wikipedia: Internet Control Message Protocol Version 6 (ICMPv6)

To prepare for this activity:

1. Start Windows.
2. Log in if necessary.
3. Install Wireshark.

To capture ICMPv6 Echo traffic:

1. Start a Wireshark capture.
2. Use ping 2001:4860:4860::8888 to ping one of Google's public IPv6 DNS servers.
3. Stop the Wireshark capture.

To analyze ICMPv6 Echo Request traffic:

1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMPv6 listed as the protocol. To view only ICMPv6 traffic, type icmpv6 (lower case) in the Filter box and press Enter.
2. Select the first ICMPv6 packet, labeled Echo (ping) request.
3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame. Note if you are using an IPv6 tunnel, your IPv6 packet may be encapsulated inside an IPv4 or UDP packet.
4. Expand Internet Control Message Protocol v6 to view ICMPv6 details.
5. Observe the Type. Notice that the type is Echo (ping) request (128).
6. Select Data in the middle Wireshark packet details pane to highlight the data portion of the frame.
7. Observe the packet contents in the bottom Wireshark packet bytes pane. Notice that Windows sends an alphabet sequence during ping requests.

To analyze ICMPv6 Echo Reply traffic:

1. In the top Wireshark packet list pane, select the second ICMP packet, labeled Echo (ping) reply.
2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame. Again, if you are using an IPv6 tunnel, your IPv6 packet may be encapsulated inside an IPv4 or UDP packet.
3. Expand Internet Control Message Protocol v6 to view ICMPv6 details.
4. Observe the Type. Notice that the type is Echo (ping) reply (129).
5. Select Data in the middle Wireshark packet details pane to highlight the data portion of the frame.
6. Observe the packet contents in the bottom Wireshark packet bytes pane. Notice that the reply echoes the request sequence.
7. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

• Wireshark: User's Guide
• Wireshark: ICMPv6

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Internet Control Message Protocol Version 6 (ICMPv6) Time Exceeded traffic.

• Wikipedia: Internet Control Message Protocol Version 6 (ICMPv6)

To prepare for this activity:

1. Start Windows.
2. Log in if necessary.
3. Install Wireshark.

To capture ICMPv6 Time Exceeded traffic:

1. Start a Wireshark capture.
2. Use ping -i 1 2001:4860:4860::8888 to ping one of Google's public IPv6 DNS servers with a hop limit of 1.
3. Stop the Wireshark capture.

To analyze ICMPv6 Echo Request traffic:

1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMPv6 listed as the protocol. To view only ICMPv6 traffic, type icmpv6 (lower case) in the Filter box and press Enter.
2. Select the first ICMPv6 packet, labeled Echo (ping) request.
3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame. Note if you are using an IPv6 tunnel, your IPv6 packet may be encapsulated inside an IPv4 or UDP packet.
4. Expand Internet Protocol Version 6 to view IPv6 details.
5. Observe the Hop limit. Notice that the hop limit is set to 1.
6. Expand Internet Control Message Protocol v6 to view ICMPv6 details.
7. Observe the Type. Notice that the type is Echo (ping) request (128).
8. Select Data in the middle Wireshark packet details pane to highlight the data portion of the frame.
9. Observe the packet contents in the bottom Wireshark packet bytes pane. Notice that Windows sends an alphabet sequence during ping requests.

To analyze ICMPv6 Time Exceeded traffic:

1. In the top Wireshark packet list pane, select the second ICMPv6 packet, labeled Time Exceeded.
2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame. Again, if you are using an IPv6 tunnel, your IPv6 packet may be encapsulated inside an IPv4 or UDP packet.
3. Expand Internet Protocol Version 6 to view IPv6 details.
4. Observe the Source. This is the IP address of the router where the hop limit was exceeded.
5. Expand Internet Control Message Protocol v6 to view ICMPv6 details.
6. Observe the Type. Notice that the type is Time Exceeded (3).
7. Observe the Code. Notice that the code is 0 (Hop limit exceeded in transit).
8. Observe the fields that follow. Notice that the contents of the request packet are returned with the time exceeded error.
9. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

• Wireshark: User's Guide
• Wireshark: ICMPv6

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze tracert/traceroute traffic. Tracing routes is accomplished through the use of Internet Control Message Protocol (ICMPv6) Time Exceeded.

• Wikipedia: Internet Control Message Protocol Version 6 (ICMPv6)

To prepare for this activity:

1. Start Windows.
2. Log in if necessary.
3. Install Wireshark.

To capture ICMPv6 tracert traffic:

1. Start a Wireshark capture.
2. Open a command prompt.
3. Type tracert -d 2001:4860:4860::8888 and press Enter to trace the route to one of Google's public IPv6 DNS servers. The -d option prevents DNS name resolution, which in this case will improve performance and reduce the amount of captured traffic.
4. When the trace is complete, close the command prompt.
5. Stop the Wireshark capture.

To analyze tracert traffic:

1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMPv6 listed as the protocol. To view only ICMPv6 traffic, type icmpv6 (lower case) in the Filter box and press Enter.
2. Select the first ICMPv6 packet, labeled Echo (ping) request.
3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / Internet Control Message Protocol frame. Note if you are using an IPv6 tunnel, your IPv6 packet may be encapsulated inside an IPv4 or UDP packet.
4. Expand Internet Protocol Version 6 to view IPv6 details.
5. Observe the Hop limit. Notice that the hop limit is set to 1.
6. Expand Internet Control Message Protocol v6 to view ICMPv6 details.
7. Observe the Type. Notice that the type is Echo (ping) request (128). Tracert is performed through a series of ICMPv6 Echo requests, varying the hop limit until the destination is found.
8. In the top Wireshark packet list pane, select the second ICMPv6 packet, labeled Time Exceeded.
9. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / Internet Control Message Protocol frame. Again, if you are using an IPv6 tunnel, your IPv6 packet may be encapsulated inside an IPv4 or UDP packet.
10. Expand Internet Protocol Version 6 to view IPv6 details.
11. Observe the Source. This is the IPv6 address of the router where the time was exceeded.
12. Expand Internet Control Message Protocol v6 to view ICMPv6 details.
13. Observe the Type. Notice that the type is Time Exceeded (3).
14. Observe the Code. Notice that the code is 0 (hop limit exceeded in transit).
15. Observe the fields that follow. Notice that the contents of the request packet are returned with the time exceeded error.
16. Continue selecting alternate ICMPv6 Echo Request and ICMPv6 Time Exceeded packets. Notice that the request is repeated three times for each hop limit count, and each reply indicates the IPv6 address of the router where the time to live was exceeded.
17. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

• Wireshark: User's Guide
• Wireshark: ICMPv6

The ping command has an option to configure the length or size of the buffer to be transmitted. These activities will show you how to use the ping command with a custom packet length to test the network's maximum transmission unit (MTU).

To prepare for this activity:

1. Start Windows.
2. Log in if necessary.

To ping the default gateway with a custom packet length:

1. Open a command prompt.
2. Use ipconfig to display the default gateway address. Note the Default Gateway displayed.
3. Type ping -l 1000 <default gateway address> where <default gateway address> is the default gateway address displayed above. For example, if the default gateway address was 192.168.1.1, you would type ping -l 1000 192.168.1.1. Then press Enter.
4. Observe the results.

To ping the default gateway with a custom packet length and do not fragment:

1. Type ping -f -l 1000 <default gateway address> and press Enter. Note the addition of the -f option to prevent fragmentation of the packet.
2. Observe the results.

To determine MTU:

1. Repeat Activity 2 but vary the length of the packet up or down as necessary until you determine the largest packet size that delivers successfully on your network. When the packet is too long, you will see an error similar to, "Packet needs to be fragmented but DF set." The maximum packet length for a standard Ethernet network is 1500 bytes, minus 20 bytes for Internet Protocol (IP) overhead, minus 8 bytes for Internet Control Message Protocol (ICMP) overhead, or an MTU of 1472. Your results are likely to be 1472 or lower, depending on the network equipment between your computer and the target host.
2. Close the command prompt to complete this activity.

• Wikipedia: Ping (networking utility)
• Wikipedia: Maximum transmission unit
• Wikipedia: Internet Protocol
• Wikipedia: Internet Control Message Protocol (ICMP)

• Microsoft TechNet: Ping

This lesson concludes the Internet layer and looks at multicasting. Activities include using Wireshark to examine multicast and Neighbor Discovery Protocol (NDP) network traffic.

1. Wikipedia: Multicast
2. Wikipedia: Multicast address
3. Wikipedia: Internet Group Management Protocol
4. Wikipedia: Multicast Listener Discovery
5. Wikipedia: Neighbor Discovery Protocol

1. YouTube: Understanding Unicast, Multicast, and Broadcast - CompTIA Network+ N10-005: 1.3
2. YouTube: Neighbor Discovery Protocol

1. Review Wireshark: Internet Group Management Protocol (IGMP).
2. Use Wireshark to capture and analyze IPv4 multicast traffic.
3. Use Wireshark to capture and analyze IPv6 multicast traffic.
4. Use Wireshark to capture and analyze ICMPv6 Neighbor Discovery Protocol (NDP) traffic.
5. Consider situations in which a packet analyzer might be used to troubleshoot multicast traffic.

• Multicast is the delivery of a message or information to a group of destination computers simultaneously in a single transmission from the source.^[1]
• Multicast uses network infrastructure efficiently by requiring the source to send a packet only once, even if it needs to be delivered to a large number of receivers. The nodes in the network take care of replicating the packet to reach multiple receivers when necessary.^[2]
• In multicast routing, there is always one source and a group of destinations. Broadcasting is a special case of muticasting in which the group contains all hosts.^[3]
• IPv4 multicast addresses were originally designated as Class D. The Classless Inter-Domain Routing (CIDR) prefix of this group is 224.0.0.0/4 and includes addresses from 224.0.0.0 through 239.255.255.255.^[4]
• The 239.0.0.0/8 range is assigned by RFC 2365 for private use within an organization.^[5]
• IPv6 multicast addresses start with ff00::/8.^[6]
• Ethernet frames with a value of 1 in the least-significant bit of the first octet of the destination address are treated as multicast (broadcast) frames and are sent to all network hosts. The recipient host Ethernet controller determines by address hashing whether to receive or drop the multicast frame.^[7]
• Ethernet IPv4 multicast frames have a destination MAC address starting with 01-00-5E-xx-xx-xx.^[8]
• Ethernet IPv6 multicast frames have a destination MAC address starting with 33-33-xx-xx-xx-xx.^[9]
• The Internet Group Management Protocol (IGMP) is a communications protocol used by hosts and adjacent routers on IP networks to establish multicast group memberships. IGMP is used on IPv4 networks.^[10]
• Multicast management on IPv6 networks is handled by Multicast Listener Discovery (MLD) which uses ICMPv6 messaging in contrast to IGMP's bare IP encapsulation.^[11][12]
• Neighbor Discovery Protocol (NDP) is an Internet layer protocol in the Internet Protocol Suite used with IPv6.^[13]
• NDP is responsible for address autoconfiguration of nodes, discovery of other nodes on the link, determining the Link Layer addresses of other nodes, duplicate address detection, finding available routers and Domain Name System (DNS) servers, address prefix discovery, and maintaining reachability information about the paths to other active neighbor nodes.^[14]
• NDP defines five ICMPv6 packet types: Router Solicitation, Router Advertisement, Neighbor Solicitation, Neighbor Advertisement, and Redirect.^[15]

Internet Protocol television (IPTV)

A system through which television services are delivered using the Internet protocol suite over a packet-switched network such as the Internet, instead of being delivered through traditional terrestrial, satellite signal, and cable television formats.^[16]

Internet Relay Chat (IRC)

A protocol for real-time Internet text messaging (chat) or synchronous conferencing.^[17]

overlay network

A computer network which is built on the top of another network where nodes in the overlay can be thought of as being connected by virtual or logical links in the underlying physical network.^[18]

Neighbor Advertisement

An ICMPv6 NDP packet type that nodes use to respond to a Neighbor Solicitation message.^[19]

Neighbor Solicitation

An ICMPv6 NDP packet type that nodes use to determine the link-layer address of a neighbor, or to verify that a neighbor is still reachable via a cached link-layer address.^[20]

peer-to-peer (P2P)

A computer network in which each computer in the network can act as a client or server for the other computers in the network.^[21]

presence information

A status indicator that conveys ability and willingness of a potential communication partner—for example a user--to communicate.^[22]

Redirect

An ICMPv6 NDP packet type that routers use to inform hosts of a better first hop for a destination.^[23]

Router Advertisement

An ICMPv6 NDP packet type that routers use to advertise their presence together with various link and Internet parameters either periodically, or in response to a Router Solicitation message.^[24]

Router Solicitation

An ICMPv6 NDP packet type that hosts use to request routers to generate Router Advertisements immediately rather than at their next scheduled time.^[25]

streaming media

Multimedia that is constantly received by and presented to an end-user while being delivered by a provider.^[26]

Click on a question to see the answer.

1. Multicast is the delivery of a message or information to _____.

   Multicast is the delivery of a message or information to a group of destination computers simultaneously in a single transmission from the source.
2. Multicast uses network infrastructure efficiently by requiring the source to send a packet _____, even if it needs to be delivered to a large number of receivers.

   Multicast uses network infrastructure efficiently by requiring the source to send a packet only once, even if it needs to be delivered to a large number of receivers.
3. In multicast routing, there is always _____.

   In multicast routing, there is always one source and a group of destinations.
4. Broadcasting is a special case of muticasting in which _____.

   Broadcasting is a special case of muticasting in which the group contains all hosts.
5. IPv4 multicast addresses were originally designated as Class _____. The Classless Inter-Domain Routing (CIDR) prefix of this group is _____ and includes addresses from _____ through _____.

   IPv4 multicast addresses were originally designated as Class D. The Classless Inter-Domain Routing (CIDR) prefix of this group is 224.0.0.0/4 and includes addresses from 224.0.0.0 through 239.255.255.255.
6. The _____ range is assigned by RFC 2365 for private multicast use within an organization.

   The 239.0.0.0/8 range is assigned by RFC 2365 for private multicast use within an organization.
7. IPv6 multicast addresses start with _____.

   IPv6 multicast addresses start with ff00::/8.
8. Ethernet frames with a value of 1 in the least-significant bit of the _____ are treated as multicast (broadcast) frames and are sent to all network hosts.

   Ethernet frames with a value of 1 in the least-significant bit of the first octet of the destination address are treated as multicast (broadcast) frames and are sent to all network hosts.
9. Ethernet IPv4 multicast frames have a destination MAC address starting with _____.

   Ethernet IPv4 multicast frames have a destination MAC address starting with 01-00-5E-xx-xx-xx.
10. Ethernet IPv6 multicast frames have a destination MAC address starting with _____.

    Ethernet IPv6 multicast frames have a destination MAC address starting with 33-33-xx-xx-xx-xx.
11. The Internet Group Management Protocol (IGMP) is a communications protocol used by hosts and adjacent routers on IPv4 networks to _____.

    The Internet Group Management Protocol (IGMP) is a communications protocol used by hosts and adjacent routers on IPv4 networks to establish multicast group memberships.
12. Multicast management on IPv6 networks is handled by _____ which uses _____ messaging.

    Multicast management on IPv6 networks is handled by Multicast Listener Discovery (MLD) which uses ICMPv6 messaging.
13. Neighbor Discovery Protocol (NDP) is an _____ layer protocol in the Internet Protocol Suite used with IPv6.

    Neighbor Discovery Protocol (NDP) is an Internet layer protocol in the Internet Protocol Suite used with IPv6.
14. NDP is responsible for _____.

    NDP is responsible for address autoconfiguration of nodes, discovery of other nodes on the link, determining the Link Layer addresses of other nodes, duplicate address detection, finding available routers and Domain Name System (DNS) servers, address prefix discovery, and maintaining reachability information about the paths to other active neighbor nodes.
15. NDP defines five ICMPv6 packet types: _____.

    NDP defines five ICMPv6 packet types: Router Solicitation, Router Advertisement, Neighbor Solicitation, Neighbor Advertisement, and Redirect.

• Lesson Flashcards
• Terms Flashcards
• Quiz

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze IPv4 multicast traffic.

• Wikipedia: Multicast
• Wikipedia: Multicast Address
• Wikipedia: Simple Service Discovery Protocol (SSDP)
• Wikipedia: Web Services Dynamic Discovery (WS-Discovery)

To prepare for this activity:

1. Start Windows.
2. Log in if necessary.
3. Install Wireshark.

To capture IPv4 multicast traffic:

1. Start a Wireshark capture.
2. In Windows, select Start and then type Network and Sharing Center in the Run box. Press Enter.
3. Select Change advanced sharing settings.
4. Note the current status of Network discovery. If it is already on, select Turn off network discovery and Save changes.
5. Select Turn on network discovery and Save changes.
6. Wait a few seconds for network discovery to generate multicast traffic.
7. If Network discovery was initially off, select Turn off network discovery and Save changes to return the status to the original setting. If network discovery was initially on, leave it on.
8. Stop the Wireshark capture.

To analyze IPv4 multicast traffic:

1. Observe the traffic captured in the top Wireshark packet list pane. To view only IPv4 multicast traffic, type ip.addr >= 224.0.0.0 (lower case) in the Filter box and press Enter.
2. The traffic you are most likely to see is Simple Service Discovery Protocol (SSDP) traffic. You may also see Web Services Dynamic Discovery (WS-Discovery) traffic or other multicast traffic. Whatever you find, select the first frame.
3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 frame.
4. Expand Ethernet II to view the Ethernet details.
5. Observe the Destination address. Notice that it starts with 01:00:5e, the Ethernet multicast address for IPv4.
6. Expand Internet Protocol Version 4 to view IPv4 details.
7. Observe the Destination address. Notice that it is in the 224.0.0.0 - 239.255.255.255 IPv4 multicast range. If it is SSDP or WS-Discovery traffic, it will be addressed to 239.255.255.250.
8. Select additional frames and observe the Ethernet and IPv4 details for multicast traffic.
9. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

• Wireshark: User's Guide

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze IPv6 multicast traffic.

• Wikipedia: Multicast
• Wikipedia: Multicast Address
• Wikipedia: Simple Service Discovery Protocol (SSDP)
• Wikipedia: Web Services Dynamic Discovery (WS-Discovery)

To prepare for this activity:

1. Start Windows.
2. Log in if necessary.
3. Install Wireshark.

To capture IPv6 multicast traffic:

1. Start a Wireshark capture.
2. In Windows, select Start and then type Network and Sharing Center in the Run box. Press Enter.
3. Select Change advanced sharing settings.
4. Note the current status of Network discovery. If it is already on, select Turn off network discovery and Save changes.
5. Select Turn on network discovery and Save changes.
6. Wait a few seconds for network discovery to generate multicast traffic.
7. If Network discovery was initially off, select Turn off network discovery and Save changes to return the status to the original setting. If network discovery was initially on, leave it on.
8. Stop the Wireshark capture.

To analyze IPv6 multicast traffic:

1. Observe the traffic captured in the top Wireshark packet list pane. To view only IPv6 multicast traffic, type ipv6.addr >= ff00:: (lower case) in the Filter box and press Enter.
2. The traffic you are most likely to see is ICMPv6 and Simple Service Discovery Protocol (SSDP) traffic. You may also see Web Services Dynamic Discovery (WS-Discovery) traffic or other multicast traffic. Whatever you find, select the first frame.
3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 frame.
4. Expand Ethernet II to view the Ethernet details.
5. Observe the Destination address. Notice that it starts with 33:33, the Ethernet multicast address for IPv6.
6. Expand Internet Protocol Version 6 to view IPv6 details.
7. Observe the Destination address. Notice that it begins with ff (ff00::/8), the IPv6 multicast range. If it is SSDP or WS-Discovery traffic, it will be addressed to ff02::c.
8. Select additional frames and observe the Ethernet and IPv6 details for multicast traffic.
9. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

• Wireshark: User's Guide

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze ICMPv6 Neighbor Discovery Protocol (NDP) traffic.

Note: To complete this activity, you must have an administrative user account or know the username and password of an administrator account you can enter when prompted.

• Wikipedia: ICMPv6
• Wikipedia: Neighbor Discovery Protocol (NDP)

To prepare for this activity:

1. Start Windows.
2. Log in if necessary.
3. Install Wireshark.