Wireshark/ICMP Trace
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze tracert/traceroute traffic. Tracing routes is accomplished through the use of Internet Control Message Protocol (ICMP) Time Exceeded.
Readings
editPreparation
editTo prepare for this activity:
- Start Windows.
- Log in if necessary.
- Install Wireshark.
Activity 1 - Capture Tracert Traffic
editTo capture ICMP tracert traffic:
- Start a Wireshark capture.
- Open a command prompt.
- Type tracert -d 8.8.8.8 and press Enter to trace the route to one of Google's public DNS servers. The -d option prevents DNS name resolution, which in this case will improve performance and reduce the amount of captured traffic.
- When the trace is complete, close the command prompt.
- Stop the Wireshark capture.
Activity 2 - Analyze Tracert Traffic
editTo analyze tracert traffic:
- Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMP listed as the protocol. To view only ICMP traffic, type icmp (lower case) in the Filter box and press Enter.
- Select the first ICMP packet, labeled Echo (ping) request.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Control Message Protocol frame.
- Expand Internet Protocol Version 4 to view IPv4 details.
- Observe the Time to live. Notice that the time to live is set to 1.
- Expand Internet Control Message Protocol to view ICMP details.
- Observe the Type. Notice that the type is 8 (Echo (ping) request). Tracert is performed through a series of ICMP Echo requests, varying the Time-To-Live (TTL) until the destination is found.
- In the top Wireshark packet list pane, select the second ICMP packet, labeled Time-to-live exceeded.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Control Message Protocol frame.
- Expand Internet Protocol Version 4 to view IPv4 details.
- Observe the Source. This is the IP address of the router where the time was exceeded.
- Expand Internet Control Message Protocol to view ICMP details.
- Observe the Type. Notice that the type is 11 (Time-to-live exceeded).
- Observe the Code. Notice that the code is 0 (Time to live exceeded in transit).
- Observe the fields that follow. Notice that the contents of the request packet are returned with the time exceeded error.
- Continue selecting alternate ICMP Echo Request and ICMP Time-To-Live Exceeded packets. Notice that the request is repeated three times for each time-to-live count, and each reply indicates the IP address of the router where the time to live was exceeded.
- Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.