Question

Objective

To explore the details of Ethernet frames. Ethernet is a popular link layer protocol that is covered in §4.3 of your text; modern computers connect to Ethernet switches (§4.3.4) rather than use classic Ethernet (§4.3.2). Review section §4.3 before doing this exercise.

Requirements

Wireshark: This lab uses the Wireshark software application to capture and examine a packet trace. A packet trace is a record of traffic at a location on the network, as if a snapshot was taken of all the bits that passed across a particular wire. The packet trace records a timestamp for each packet, along with the bits that make up the packet, from the lower-layer headers to the higher-layer contents. Wireshark shows the sequence of packets and the meaning of the bits when interpreted as protocol headers and data. It color-codes packets by their type, and has various ways to filter and analyze packets to let you investigate the behavior of network protocols.

ping: This exercise uses ping to send and receive messages. ping is a standard command-line utility for checking that another computer is responsive. It is widely used for network troubleshooting and comes pre-installed on Window, Linux, and Mac. While ping has various options, simply issuing the command “ping www.sdsu.edu” will cause your computer to send a small number of ICMP ping requests to the remote computer www.sdsu.edu, which should elicit an ICMP ping response.

Recall that there are two types of Ethernet frames, IEEE 802.3 and DIX Ethernet. DIX is common and what we considered above, while IEEE 802.3 is rare. If you are rather lucky, you may see some IEEE 802.3 frames in the trace you have captured. To search for IEEE 802.3 packets, enter a display filter (above the top panel of the Wireshark window) of “llc” (that was lowercase “LLC”) because the IEEE 802.3 format has the LLC protocol on top of it. LLC is also present on top of IEEE 802.11 wireless, but it is not present on DIX Ethernet.

Have a look at the details of an IEEE 802.3 frame, including the LLC header. Observe that the Type field is now a Length field. The frame may be short enough that there is also padding of zeros identified as a Trailer or Padding.

1. How long are the combined IEEE 802.3 and LLC headers compared to the DIX Ethernet headers? Note that the Trailer/Padding and Checksum may be shown as part of the header, but they come at the end of the frame.
2. How does the receiving computer know whether the frame is DIX Ethernet or IEEE 802.3? Hint: you may need to both use Wireshark to look at packet examples and read your text near where the Ethernet formats are described.
3. If IEEE 802.3 has no Type field, then how is the next higher layer determined? Use Wireshark to look for the demultiplexing key.

Answer 1

Let's start with wireshark and capture some packets:

1. First step to select an interface. Mine is Wireless so i am selecting wifi. You can selecr ethernet if you have one connected.

2. Start the interface and open cmd for windows and terminal for linux. In my case i am using windows cmd for ping. I will ping google.com and trace some packets, you can ping any website you like:

Based on the screenshot, we can observe complete three way handshake. Now for the Ethernet based analysis, we can expand Ethernet information which is downside with other fields.

3. Lets Analyze Ethernet field and see the headers:

we can see the encrypted frames which ethernet is using to transfer the requests.

4. Demultiplexing Keys - After the arrival of Ethernet frames in a computer, the ethernet layer has to provide the packet to next upper layer for the transmission. For finding the right upper layer Ethernet frames uses Demultiplexing keys.

Hope my answer will help.