Practicals of CNAM Subject List

Practical 1) Capture the Data Packets using Wireshark Tool using

a) HTTP Protocol
b) TCP Protocol
c) UDP Protocol
Ans:-

In Wireshark, you can use display filters to focus on specific protocols like HTTP, TCP, and
UDP. Here are the commands for filtering these protocols:

1. HTTP Filter Commands

HTTP operates over TCP, typically on port 80 (unencrypted). To filter HTTP traffic, you can use
the following filters:

 Filter for all HTTP traffic:

http

 Filter for HTTP GET requests:

http.request.method == "GET"

 Filter for HTTP POST requests:

http.request.method == "POST"

 Filter for HTTP requests only:

http.request

 Filter for HTTP responses only:

http.response

 Filter for HTTP traffic on a specific IP:

ip.addr == 192.168.1.100 && http

2. TCP Filter Commands

TCP is a connection-oriented protocol. You can filter based on different TCP parameters.

 Filter for all TCP traffic:

tcp
 Practicals of CNAM Subject List

 Filter for TCP traffic on a specific port (e.g., port 80):

tcp.port == 80

 Filter for TCP traffic from a specific IP:

ip.src == 192.168.1.100 && tcp

 Filter for TCP traffic to a specific IP:

ip.dst == 192.168.1.100 && tcp

3. UDP Filter Commands

UDP is a connectionless protocol, often used for DNS, DHCP, and other lightweight protocols.

 Filter for all UDP traffic:

udp

 Filter for UDP traffic on a specific port (e.g., DNS on port 53):

udp.port == 53

 Filter for UDP traffic from a specific IP:

ip.src == 192.168.1.100 && udp

 Filter for UDP traffic to a specific IP:

ip.dst == 192.168.1.100 && udp

Combining Filters

You can combine these filters using logical operators like && (AND), || (OR), and ! (NOT).

 Example: Filter for HTTP and TCP traffic:

http && tcp

 Example: Filter for non-HTTP TCP traffic:

tcp && !http

These filters can help you focus on the specific network traffic you want to analyze in
Wireshark. Tools
 Practicals of CNAM Subject List

Practical No-2 Ethernet Traffic Distribution By Protocols

Ans:-

To fill in the Ethernet Traffic Distribution by Protocols table, you can follow these steps
using Wireshark:

Steps:

1. Capture traffic using Wireshark for a specific period.

2. After the capture, go to:
o Statistics > Protocol Hierarchy
o This will display the traffic distribution by protocol.
3. Record the traffic data (in MiB and percentage) for the required protocols from the protocol
hierarchy.

Table to Fill

Nr Protocol Traffic, МiB Traffic, %

1 IPv6 (from Wireshark) (from Wireshark)

2 IPv4 (from Wireshark) (from Wireshark)

3 --UDP (from Wireshark) (from Wireshark)

4 --TCP (from Wireshark) (from Wireshark)

 Practicals of CNAM Subject List

Nr Protocol Traffic, МiB Traffic, %

5 --ICMP (from Wireshark) (from Wireshark)

6 ARP (from Wireshark) (from Wireshark)

SUM (calculated) 100%

After recording the data from Protocol Hierarchy, the SUMM of the traffic percentage should
be 100%.

8. Ratio of Application to Service Protocols

To find the ratio of application protocols to service protocols:

Application Protocols:

 These typically include HTTP, FTP, Mail (SMTP/POP/IMAP), DNS over UDP/TCP, etc.
 These are higher-level protocols used by applications.

Service Protocols:

 These include DNS, ICMP, ARP, and any protocol used for network services and control.
 Examples: ARP, ICMP, DHCP, DNS (in service context), etc.

Steps to Calculate the Ratio:

1. Count the number of packets for application protocols (e.g., HTTP, FTP, etc.).
o You can get this from the Protocol Hierarchy under the appropriate sections (e.g., HTTP
under TCP).
2. Count the number of packets for service protocols (e.g., DNS, ICMP, ARP, etc.).
o Again, get this from the Protocol Hierarchy.
Practicals of CNAM Subject List
 Practicals of CNAM Subject List

Practical – 3 Capture File Properties to find Load “L”.

To fill in the table based on Wireshark's Capture File Properties and compute the relative
network load (L), follow these steps:

Steps:

1. Open Wireshark and start capturing packets.

2. After capturing a few minutes of network traffic, go to:
o Statistics > Capture File Properties
o You will find the required data like time of capture, packets, bytes, and average
packet size.

Table to Fill

Nr Parameter Value
1 Time of capture, min (from Wireshark)
2 Packets (from Wireshark)
3 Bytes, MiB (from Wireshark)
4 Average packet size, B (from Wireshark)
5 Average packets per second, pps (from Wireshark)
6 Average bytes per second, B/s (from Wireshark)
7 Relative Network Load, L (%) Calculated (see below)
Practicals of CNAM Subject List
 Practicals of CNAM Subject List

Practical 4 – Capture Data Packets using WireShark Tool Using Ipv4 and Ipv6 Protocol filter
commands
This is for IPv4

Basic IPv4 Filters:

 IPv4 traffic

ip

 IPv4 address filter (source or destination):

o For a specific IP address:

ip.addr == 192.168.1.1

o For a specific source IP address:

ip.src == 192.168.1.1

o For a specific destination IP address:

ip.dst == 192.168.1.1

 Exclude a specific IP address:

!(ip.addr == 192.168.1.1)

IPv4 Fragmentation Filters:

 Filter fragmented IPv4 packets:

ip.flags.mf == 1

 Filter non-fragmented IPv4 packets:

ip.flags.mf == 0 and ip.frag_offset == 0

IPv4 Length and TTL Filters:

 Filter packets based on total length (e.g., for packets larger than 1500 bytes):

ip.len > 1500

 Filter packets based on TTL (Time to Live):

o For packets with a TTL value of 64:
 Practicals of CNAM Subject List

ip.ttl == 64

o For packets with a TTL value greater than 128:

ip.ttl > 128

 This is for IPv6

Here are some easy and commonly used IPv6 filter commands for Wireshark:

1. Show all IPv6 traffic:

ipv6

2. Filter by source IPv6 address

ipv6.src == <source-ipv6-address>

Example

ipv6.src == 2001:db8::1

3. Filter by destination IPv6 address:

ipv6.dst == <destination-ipv6-address>

Example:

ipv6.dst == 2001:db8::2

4. Filter by any IPv6 address (source or destination):

ipv6.addr == <ipv6-address>

Example:

ipv6.addr == 2001:db8::1

5. Filter ICMPv6 traffic:

icmpv6

6. Filter multicast traffic (IPv6 multicast address):

 Practicals of CNAM Subject List

ipv6.dst[0] == ff

7 . Filter by IPv6 Traffic Class

 To filter traffic with a specific traffic class:

ipv6.tclass == <value>

 Example:

ipv6.tclass == 0x10

8. To filter for IPv6 packets with a specific source address and ICMPv6 type:

ipv6.src == 2001:db8::1 and icmpv6.type == 135

Practical – 5

Customizing Wireshark for Specific Analysis

 Objective: Customize Wireshark interface and functionalities for better analysis.

 Tasks: 1)Create custom columns to display additional packet information.

2) Apply custom coloring rules to highlight specific traffic types.

Ans:- To customize Wireshark for specific analysis, you can create custom columns and apply
custom coloring rules to enhance the visibility and analysis of packet data. Here's how you can
accomplish these tasks:

1. Create Custom Columns

Custom columns allow you to display additional information in Wireshark’s packet list, such as
specific protocol fields or packet properties.

Steps to Create Custom Columns:

1. Open Wireshark and start capturing or load a pcap file.

2. Right-click on any existing column header (like "No." or "Source") and choose
"Column Preferences...".
 Practicals of CNAM Subject List

3. In the Column Preferences window:

o Click the "+" button to add a new column.
o You’ll see a new entry like "New Column".
o In the Title field, give your column a meaningful name (e.g., "TCP Flags",
"TTL", etc.).

4. Assign a field to the column:

o Click on the new column you added, and in the Fields section, enter the display
filter name of the field you want to add.
o For example, to display the Time to Live (TTL), use:

ip.ttl

o For TCP Flags, use:

tcp.flags

5. Click OK to save the changes. The new column will now appear in the packet list,
displaying the chosen field.

Common Custom Columns:

 Source Port:

tcp.srcport or udp.srcport

 Destination Port:

tcp.dstport or udp.dstport

 TCP Sequence Number:

tcp.seq

 ICMP Type:

icmp.type

2. Apply Custom Coloring Rules

 Practicals of CNAM Subject List

Custom coloring rules make it easier to visually distinguish specific types of traffic or packets of
interest.

Steps to Apply Custom Coloring Rules:

1. Go to "View" > "Coloring Rules..." from the Wireshark menu.

2. In the Coloring Rules window:
o Click the "+" button to add a new coloring rule.
o A new rule will be created at the bottom of the list.
3. Define your rule:
o In the "Name" column, give your rule a meaningful name (e.g., "TCP Traffic",
"ICMP Packets").
o In the "Filter" column, enter the filter expression for the traffic you want to
highlight.
4. Assign colors:
o Foreground color: This will be the text color for the packets matching your filter.
o Background color: This will be the background color for those packets.
5. Click OK to save your new coloring rule. The packets that match the rule will now be
highlighted in the chosen colors.

Example Coloring Rules:

 ICMP Traffic:
o Filter: icmp
o Foreground: White
o Background: Red (to highlight ICMP traffic like pings)
 TCP Traffic:
o Filter: tcp
o Foreground: Black
o Background: Light Green (to easily identify TCP traffic)
 UDP Traffic:
o Filter: udp
o Foreground: Black
o Background: Light Blue (for UDP traffic)
 DNS Requests:
o Filter: dns
o Foreground: Black
o Background: Yellow (to highlight DNS queries)

3. Organize and Prioritize Coloring Rules

 You can move your rules up or down in the list to prioritize which rules should apply
first.
 The topmost rules in the list take precedence, so more general rules like "TCP traffic"
should be lower, while more specific ones (like DNS or ICMP) should be higher.
 Practicals of CNAM Subject List

Summary:

 Custom Columns help you display specific packet details, such as TTL, TCP Flags, or
custom protocol information.
 Coloring Rules enhance visual analysis by highlighting different traffic types, making
important patterns or issues stand out.

By customizing Wireshark this way, you can streamline your analysis process for specific types
of traffic or protocol behaviors.

Practical – 6

Statistics and Visualization

Objective: Use Wireshark’s statistical tools to summarize and visualize network traffic.
Tasks: 1) Generate protocol hierarchy statistics to see the distribution of protocols.
2) Create and analyze IO graphs to visualize traffic trends over time.
3) Use flow graphs to visualize and understand the sequence of packet exchanges
between endpoints.
Ans:-
Using Wireshark’s statistical tools is a powerful way to summarize and visualize network traffic,
allowing you to gain insights into protocol usage, traffic patterns, and the sequence of packet
exchanges between endpoints. Here’s how you can accomplish each of the tasks you mentioned:

Task 1: Generate Protocol Hierarchy Statistics

Protocol Hierarchy Statistics give you a breakdown of the different protocols present in your
capture, showing you how the traffic is distributed among them.

Steps:
1. Open Wireshark and Load the Capture File:
Start Wireshark and either begin capturing traffic or open a pre-existing capture
file.
 Practicals of CNAM Subject List

2. Access Protocol Hierarchy Statistics:

Go to the menu and click on Statistics > Protocol Hierarchy.

3. View the Hierarchy:

A new window will open, displaying the protocol hierarchy. This window shows
the protocols in a tree structure, with each protocol layer broken down by its
percentage of the total packets and bytes in the capture.
The statistics include the count and percentage of packets for each protocol,
making it easy to see which protocols dominate the network traffic.

4. Analyze the Data:

Review the hierarchy to understand the distribution of protocols in your capture.
For example, you might see a large percentage of HTTP traffic, indicating web
browsing activity, or a significant amount of DNS traffic, indicating many domain
name lookups.

5. Export the Statistics (Optional):

You can export the protocol hierarchy data by clicking the Copy button or
exporting it as a CSV file for further analysis in other tools.

Task 2: Create and Analyze IO Graphs

IO Graphs (Input/Output Graphs) allow you to visualize traffic trends over time, helping you
identify patterns, spikes, or drops in traffic.
Steps:
1. Open Wireshark and Load the Capture File:
Open the capture file that you want to analyze.
 Practicals of CNAM Subject List

2. Access IO Graphs:
Go to the menu and click on Statistics > IO Graphs.
3. Configure the Graph:
The IO Graphs window will open with a default graph showing packets per
second over time.

Customize the Display:

different data sources or filters for each graph.

traffic to compare their trends over time.

 Set Y Axis: Choose what you want to plot on the Y-axis, such as the number of
 packets, bytes, or specific field values.
 Set X Axis: The X-axis typically represents time, but you can adjust the interval
 (e.g., every second, every minute) depending on your needs.

4. Analyze the Graphs:

Use the graphs to identify trends in the traffic. For example, you might see
periodic spikes in traffic that correlate with specific events (e.g., a file download
or a backup operation).
You can highlight different segments of the graph to zoom in on specific time
periods.

5. Export the Graph (Optional):

You can export the graph as an image or save the graph data for further analysis.
 Practicals of CNAM Subject List

Task 3: Use Flow Graphs to Visualize and Understand Packet Sequences

Flow Graphs provide a visual representation of the sequence of packet exchanges between
endpoints, making it easier to follow conversations and understand how data flows across the
network.

Steps:
1. Open Wireshark and Load the Capture File:
Open the relevant capture file in Wireshark.

2. Access Flow Graphs:

Go to Statistics > Flow Graph.

3. Configure the Flow Graph:

The Flow Graph window will open, allowing you to configure how the graph is
displayed.

Set the Flow Type:

, UDP Flows,
ICMP Flows, or All Flows.

-> B and B ->

A) or just one.

192.168.1.1 to show only traffic to/from a specific IP).

4. View the Flow Graph:

The Flow Graph will display lines between endpoints, with arrows representing
the direction of traffic and labels showing key information (e.g., SYN, ACK, FIN
 Practicals of CNAM Subject List

for TCP traffic).

Analyze the Sequence:

s to understand the sequence of events. This
can be particularly useful for troubleshooting issues like connection resets,
delays, or retransmissions.

Identify Anomalies: Look for unusual patterns or disruptions in the flow, which
might indicate problems such as packet loss or out-of-order delivery.

5. Export the Flow Graph (Optional):

You can export the flow graph as an image or text file for documentation or
further analysis.
 Practicals of CNAM Subject List

Practical 7
Examine DNS Requests and Response
Objective: Capture and analyze DNS traffic.

To capture and analyze DNS traffic, you can use network analysis tools like Wireshark. Below
are the detailed steps for capturing and analyzing DNS traffic:

1. Start a Capture Session

1. Open Wireshark: Launch the Wireshark application on your computer.
2. Select the Network Interface: Choose the network interface you want to capture traffic on.
This is usually the interface that is connected to the network (e.g., Wi-Fi or Ethernet).
3. Start Capture: Click the "Start Capturing Packets" button (often a shark fin icon) to begin
capturing network traffic.

2. Use a Display Filter to Isolate DNS Traffic

1. Apply Display Filter: Once you start capturing, you will see a lot of network traffic. To focus
on DNS traffic, apply a display filter.
2. Filter for DNS: In the display filter bar, type dns and press Enter. This filter will isolate only
DNS packets from the rest of the traffic.

3. Analyze DNS Queries and Responses

1. Inspect DNS Queries: Look at the DNS query packets to see what domain names are being
requested. You can click on a packet to see its details. A DNS query typically has the following
fields:
 Transaction ID: A unique identifier for the request.
 Flags: Indicate whether the query is standard or recursive.
 Questions: Shows the domain names being queried.
 Type: Specifies the type of DNS record requested (e.g., A, AAAA, MX).

2. Inspect DNS Responses: Analyze DNS response packets to see how the queries were
resolved. The response will include:

Example Analysis:
DNS Query: You might see a packet with a query for www.example.com. The type field in
the query might show A if it's requesting an IPv4 address.
DNS Response: The response packet might show that www.example.com resolves to
93.184.216.34. It will have the same Transaction ID as the query, and the response will include
the IP address in the "Answers" section.

Additional Tips:
 Practicals of CNAM Subject List

Follow Streams: Wireshark allows you to follow the DNS stream to see the entire conversation
between the client and server.
Statistics: Use Wireshark's statistics tools to get an overview of DNS traffic, including the
number of queries and responses, as well as any potential issues.

By following these steps, you can effectively capture and analyze DNS traffic to understand how
domain names are resolved on your network.
Wireshark provides a range of display filters to help you isolate and analyze DNS traffic more
precisely. Here’s a comprehensive list of useful DNS-related display filters you can use in
Wireshark:

Basic DNS Filter

dns
Purpose: Displays all DNS packets (both queries and responses).

Filtering DNS Queries

 dns.flags.response == 0
 Purpose: Shows DNS queries (requests for information).

 dns.qry.name == "example.com"
 Purpose: Displays DNS queries for a specific domain (e.g., example.com).

 dns.qry.type == 1
 Purpose: Shows DNS queries for A records (IPv4 addresses). For other record types,
change the number (e.g., 2 for AAAA, 15 for MX).

Filtering DNS Responses

 dns.flags.response == 1
 Purpose: Shows DNS responses (answers to queries).

 dns.a == 93.184.216.34
 Purpose: Displays DNS responses containing a specific IP address (e.g., 93.184.216.34).

 dns.resp.name == "example.com"
 Purpose: Displays DNS responses for a specific domain.

Filtering Based on DNS Record Type

 dns.qry.type == 1
 Purpose: Filters DNS queries for A records.
 dns.qry.type == 28
 Practicals of CNAM Subject List

Filtering DNS Transactions

 dns.id == 12345
 Purpose: Filters DNS packets with a specific transaction ID (useful for tracking a
particular query and response).

Filtering by DNS Flags

 dns.flags.qr == 1
 Purpose: Displays DNS response packets (where the QR flag is set to 1).

 dns.flags.qr == 0
 Purpose: Displays DNS query packets (where the QR flag is set to 0).

 dns.flags.rcode == 3
 Purpose: Shows DNS responses with a specific response code, such as "Name Error"
(Non- Existent Domain).

Combining Filters
You can combine filters to refine your search. For example:

Practical Tips

Auto-complete: Wireshark’s filter bar supports auto-completion. As you start typing a filter
expression, Wireshark will suggest possible completions.

Save Filters: You can save frequently used filters in Wireshark for easy access later.

Use Colorization: You can set up color rules in Wireshark to highlight DNS packets based on
specific filters or criteria, which can help in quickly identifying important traffic.

By using these filters, you can effectively drill down into DNS traffic and analyze specific
aspects of DNS queries and responses.
Colorization in Wireshark helps visually distinguish different types of network traffic, making it
easier to identify and analyze specific packets. You can set up color rules to highlight packets
based on various criteria, including DNS traffic. Here's a step-by-step guide to setting up and
using colorization in Wireshark:
Setting Up Colorization in Wireshark

1. Open Wireshark: Launch the Wireshark application.

2. Start a Capture Session: Begin capturing network traffic or open a previously saved capture
file.
3. Access the Colorization Rules:
 Practicals of CNAM Subject List

 Go to the View menu and select Coloring Rules.

 Alternatively, you can navigate to Preferences (under the Edit menu), then find
Coloring Rules on the left sidebar.

 4. Add a New Color Rule:

 In the Coloring Rules window, click the + (Add) button to create a new color rule.
 Alternatively, click Edit to modify an existing rule.

 5. Configure the Color Rule:

 Name: Enter a descriptive name for the rule (e.g., "DNS Traffic").
 Filter: Enter a display filter expression for the traffic you want to highlight. For example:
 To highlight DNS queries: dns.flags.response == 0
 To highlight DNS responses: dns.flags.response == 1

 Foreground Color: Choose a text color for the packet details.

 Background Color: Choose a background color for the packet list row.
 Click OK to apply the color rule.

 6. Apply and Save:

 Once you’ve configured the color rule, it will be added to the list in the Coloring Rules
window.
 You can reorder the rules by selecting them and using the Move Up or Move Down
buttons to prioritize which colors appear on overlapping filters.
 Click OK to apply the rules and close the window.

 Example Colorization Rules

 Here are some common examples of colorization rules you might set up for DNS traffic:
 Highlight DNS Queries:
 Name: DNS Queries
 Filter: dns.flags.response == 0
 Foreground Color: White
 Background Color: Blue
 Highlight DNS Responses:
 Name: DNS Responses
 Filter: dns.flags.response == 1
 Foreground Color: White
 Practicals of CNAM Subject List

 Background Color: Green

 Highlight DNS Errors:
 Name: DNS Errors
 Filter: dns.flags.rcode != 0
 Foreground Color: Black
 Background Color: Red

 Tips for Effective Use

 Contrast: Choose colors that contrast well with each other and the default background to
ensure readability.
 Overlapping Rules: If multiple rules apply to the same packet, the most specific rule
(higher up in the list) will take precedence.
 Testing: After applying color rules, observe the packet list to ensure the colors are
applied as expected and make adjustments if necessary.

 Colorization in Wireshark enhances your ability to quickly identify and analyze different
types of network traffic, making it a powerful tool for network troubleshooting and
analysis.

Practical - 8
Identify and Analyze ARP Traffic

Objective: Capture and analyze Address Resolution Protocol (ARP) packets.

Steps: Start a capture session. Apply a filter for ARP traffic (arp).

Ans :- Analyzing Address Resolution Protocol (ARP) traffic with Wireshark helps you
understand how IP addresses are mapped to MAC addresses on your network. Here’s a step-by-
step guide to capturing and analyzing ARP packets:

1. Start a Capture Session

a. Open Wireshark
Launch Wireshark on your computer.

b. Select the Network Interface

Choose the network interface that you want to capture traffic on. This is typically the interface
through which your computer connects to the network.

c. Begin Capturing Packets

Click the “Start Capturing Packets” button (usually a green shark fin icon) to begin capturing
traffic on the selected interface.
 Practicals of CNAM Subject List

2. Apply a Filter for ARP Traffic

a. Use the Display Filter for ARP

to isolate ARP packets:

Filter: arp

ARP.

3. Examine ARP Requests and Replies

a. Identify ARP Packets

ARP Request: This is a packet sent by a device to find the MAC address associated with a
specific IP address. The packet will have an ARP opcode of 1 (Request).
ARP Reply: This is a packet sent by a device in response to an ARP request. The packet will
have an ARP opcode of 2 (Reply).

b. Analyze ARP Requests

Source IP Address: The IP address of the device making the request.

Target IP Address: The IP address for which the MAC address is being requested.
Source MAC Address: The MAC address of the device making the request.
Target MAC Address: This is not yet known and will be filled in once the reply is received.

c. Analyze ARP Replies

Source IP Address: The IP address of the device responding to the request.
Source MAC Address: The MAC address of the device responding.
Target IP Address: The IP address of the device that requested the MAC address.
Target MAC Address: The MAC address that was requested.

d. Follow the ARP Conversation

“Conversation” feature:

Go to Statistics > Conversations.

Select the ARP tab to view the ARP conversation details.

5. Optional Advanced Analysis

a. Analyze ARP Traffic Volume

-in statistics to measure ARP traffic volume and frequency:

 Practicals of CNAM Subject List

1. Go to Statistics > Protocol Hierarchy and look for ARP in the list.
2. This will give you an overview of how much ARP traffic is present compared to other
protocols.

b. Check ARP Cache

-to-MAC mappings:

o Windows: Use arp -a in Command Prompt.

 All ARP Packets: arp

 ARP Requests Only: arp.opcode == 1
 ARP Replies Only: arp.opcode == 2
 ARP Requests for Specific IP: arp.dst.proto_ipv4 == x.x.x.x
 ARP Replies for Specific IP: arp.src.proto_ipv4 == x.x.x.x

ARP Role
Address Resolution Protocol (ARP) is a very fundamental protocol in computer networking.
When a PC wants to send a message over the network, it has to encapsulate the data down the
layers of the OSI model. At each layer, it has to fill all header information such as TCP/UDP
ports in the layer 4 header, source, and destination IP addresses in the Layer 3 header, and source
and destination MAC addresses in the Layer 2 header. If you think about it, all this information
is available to the end client except for the destination MAC address. Address Resolution
Protocol (ARP) has been introduced to resolve a MAC address based on a given IP address in a
local network.

Fields in ARP Requests:

 Hardware Type: Should be Ethernet (1).

 Protocol Type: Should be IPv4 (0x0800).
 Hardware Size: Typically 6 (size of MAC address).

 Protocol Size: Typically 4 (size of IPv4 address).

 Opcode: 1 (indicating an ARP request).
 Sender MAC Address: The MAC address of the device sending the ARP request.
 Sender IP Address: The IP address of the device sending the ARP request.
 Target MAC Address: 00:00:00:00:00:00 (not yet known, as the request is asking for
this).
 Target IP Address: The IP address for which the MAC address is being requested.
 Practicals of CNAM Subject List

Practical – 9
Capture Data Packets in Wireshark tool Using “Ethernet” Protocol

In Wireshark, Ethernet filters can be quite specific and useful for analyzing network traffic at the
data link layer. Here’s a list of some commonly used Ethernet filter commands and their
descriptions:
Basic Ethernet Filter Commands
1. Filter All Ethernet Traffic:

eth
This filter captures all Ethernet frames.

2. Filter by Ethernet Source MAC Address:

eth.src == aa:bb:cc:dd:ee:ff
Replace aa:bb:cc:dd:ee:ff with the MAC address you're interested in.

3. Filter by Ethernet Destination MAC Address:

eth.dst == aa:bb:cc:dd:ee:ff
Replace aa:bb:cc:dd:ee:ff with the MAC address you're interested in.

4. Filter by Ethernet Type Field:

o IPv4:

eth.type == 0x0800

o ARP:

eth.type == 0x0806

o IPv6:

eth.type == 0x86dd

o VLAN:

eth.type == 0x8100
 Practicals of CNAM Subject List

5. Filter Ethernet Frames with VLAN Tags:

vlan

o Filter by VLAN ID:

vlan.id == 100

6. Filter by Ethernet Length Field (useful for detecting abnormal frame sizes):
eth.len == 64
Replace 64 with the frame length you're interested in.

Combining Filters

You can combine Ethernet filters with other protocol filters using logical operators. For example:

Filter Ethernet traffic from a specific MAC address that is also IPv4:

eth.src == aa:bb:cc:dd:ee:ff and ip

Filter Ethernet frames with VLAN tags and specific VLAN ID:

vlan and vlan.id == 100

Filter all Ethernet traffic except traffic from a specific MAC address:

eth and not eth.src == aa:bb:cc:dd:ee:ff

These filters will help you narrow down the Ethernet traffic in your capture to find the specific
frames or types of traffic you're interested in.
 Practicals of CNAM Subject List

Practical – 10
Capture Data Packets Using Wireshark Tool and Analyze data using “ICMP” Protocol.

Ans:- Here are some easy and basic ICMP protocol filter commands for Wireshark:

ICMP (IPv4) Filters:

1. All ICMP traffic:

icmp

2. ICMP Echo Request (Ping request):

icmp.type == 8

3. ICMP Echo Reply (Ping response):

icmp.type == 0

4. ICMP Destination Unreachable:

icmp.type == 3

Filter by ICMP Code:

5 Example to filter ICMP Echo Request with code 0:

icmp.type == 8 and icmp.code == 0

ICMPv6 Filters:

1. All ICMPv6 traffic:

icmpv6

2. ICMPv6 Echo Request:

icmpv6.type == 128

3. ICMPv6 Echo Reply:

icmpv6.type == 129
 Practicals of CNAM Subject List

4. ICMPv6 Neighbor Solicitation:

icmpv6.type == 135

5. ICMPv6 Neighbor Advertisement:

icmpv6.type == 136

-----------------------------------------------------------------------

Note :- Extra questions

(Q) Capture Data Packets in Wireshark Using

“HTTPS” Potocol and “dhcpv6” Protocol and carefully
listen both the protocols are also important and it is for
Practise .