Wireshark/Arp

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Address Resolution Protocol (ARP) traffic.

Readings

 * Wikipedia: Address_Resolution_Protocol (ARP)
 * Wikipedia: Media Access Control (MAC) Address
 * Wikipedia: Broadcast Address
 * Wikipedia: Ethertype

Multimedia

 * YouTube: Wireshark 101: Address Resolution Protocol, HakTip 124

Preparation
To prepare for this activity:
 * 1) Start your computer.
 * 2) Log in if necessary.
 * 3)  Install Wireshark.

Activity 1 - Capture ARP Traffic
To capture ARP traffic:
 * 1)  Start Wireshark, but do not yet start a capture.
 * 2)  Open an elevated/administrator command prompt.
 * 3) Use  ipconfig to display the default gateway address.  Note the Default Gateway displayed.
 * 4)  Start a Wireshark capture.
 * 5) Use  arp -d to clear the ARP cache.
 * 6) Use  ping  to ping the default gateway address.
 * 7) Use  arp -a to view the ARP cache and confirm an entry has been added for the default gateway address.
 * 8) Close the command prompt.
 * 9)  Stop the Wireshark capture.

Activity 2 - Analyze an ARP Request
To analyze an ARP request:
 * 1) Observe the traffic captured in the top Wireshark packet list pane.  Look for traffic with ARP listed as the protocol.  To view only ARP traffic, type arp (lower case) in the Filter box and press Enter.
 * 2) Select the first ARP packet.
 * 3) Observe the packet details in the middle Wireshark packet details pane.  Notice that it is an Ethernet II / Address Resolution Protocol frame.
 * 4) Expand Ethernet II to view Ethernet details.
 * 5) Observe the Destination field.  Notice that the destination field is the Ethernet broadcast address (FF:FF:FF:FF:FF:FF).  All devices on the network will receive the ARP request.
 * 6) Observe the Source field.  This should contain your MAC address.  You can use  ipconfig /all,  getmac, or  ifconfig to confirm.
 * 7) Observe the Type field.  Notice that the type is 0x0806, indicating ARP.
 * 8) Expand Address Resolution Protocol (request) to view ARP details.
 * 9) Observe the Sender MAC address.  Notice that the sender MAC address is your MAC address.
 * 10) Observe the Sender IP address.  Notice that the sender IP address is your IP address.
 * 11) Observe the Target MAC address.  Notice that the target MAC address is all zeros, because the target MAC address is unknown at this point.
 * 12) Observe the Target IP address.  Notice that the target IP address is the IP address of the default gateway.

Activity 3 - Analyze an ARP Reply
To analyze an ARP reply:
 * 1) Select the second ARP packet.
 * 2) Observe the packet details in the middle Wireshark packet details pane.  Notice that it is an Ethernet II / Address Resolution Protocol frame.  Confirm that in the middle packet details pane that the packet is labeled Address Resolution Protocol (reply).
 * 3) Expand Ethernet II to view Ethernet details.
 * 4) Observe the Destination field.  Notice that the destination field is your MAC address.
 * 5) Observe the Source field.  This should be the MAC address of the default gateway.
 * 6) Observe the Type field.  Notice that the type is 0x0806, indicating ARP.
 * 7) Expand Address Resolution Protocol (reply) to view ARP details.
 * 8) Observe the Sender MAC address.  Notice that the sender MAC address is the MAC address of the default gateway.
 * 9) Observe the Sender IP address.  Notice that the sender IP address is the IP address of the default gateway.
 * 10) Observe the Target MAC address.  Notice that the destination MAC address is your MAC address.
 * 11) Observe the Target IP address.  Notice that the destination IP address is your IP address.
 * 12) Close Wireshark to complete this activity.  Quit without Saving to discard the captured traffic.