I can be a very thorough person, especially when it comes to learning. I try to grasp all the details of the different technologies I am learning about so that I understand why something is the way the book says it is rather than just accepting what the book says. This also helps me explain concepts more clearly, should I ever be required to. Technically speaking, one of the tools that has helped me understand the minute details of a particular technology is Wireshark. In this article, we will be looking at a way to learn by looking at packets as they cross the network.

CCNA Training – Resources (Intense)

Note: There is a good article on the Intense School site that explains what Wireshark does and how it does it. You can check it out here.

GNS3 and Wireshark

GNS3 has become a huge part of my technical life because of the near-real experience that it provides. The installation of GNS3 also has Wireshark bundled with it (as far as I can remember) so you don’t need to do anything special to set up GNS3 to work with Wireshark – you can just capture directly from the GNS3 topology. We will be exploring this feature in this article.

Let’s take a simple topology of two routers connected through their Fa0/0 interfaces:

To begin a capture in GNS3, you right-click on the link that you want to capture on and select “Start capturing” as shown below:

You will then be required to select what device/interface you wish to capture on. In our case, the options are either R1’s Fa0/0 interface or R2’s Fa0/0 interface. In this scenario, it does not matter to me which interface I choose. However, sometimes I find that I experience errors capturing on one interface so I move to the other side; probably a bug or something.

After you have selected what interface you want to capture on, you will see it in the Captures pane on the left-hand side in GNS3. I guess the position of this pane may vary depending on what version of GNS3 you are using; I’m still using version 0.8.6.

To see your packets, you have to start Wireshark also from GNS3. Again you right-click on the link you are capturing on and then you select “Start Wireshark.” Notice that this option was not there before we began capturing.

When Wireshark loads up, you begin seeing packets flying around. I have only configured IP addresses on the Fa0/0 interfaces so we don’t see interesting packets yet.

The main window of Wireshark is divided into several parts: The Menu, which contains items like File, Edit, and so on; the Main Toolbar, which contains frequently used items; the Filter toolbar, which allows us to view only specific packet types as specified by our filter expression; the Packet list pane, which displays the captured packets; the Packet details pane, which gives a deeper view into a particular packet; the Packet bytes pane, which displays the data of a particular packet; and the Status bar, which gives information about the captures packets.

The packet list pane and packet details pane are particularly important when going through packet captures. Although you can customize the fields in the packet list pane, the default columns are: Number (No), Time, Source address, Destination address, Protocol, Length and Info. Clicking on any of the packets will give more details about that packet in the packet details pane.

You can play around with Wireshark on your own time but, for now, let’s look at a few examples of how to learn using packet captures.

Example: How ARP works

I suppose you are familiar with the Address Resolution Protocol used to map layer 3 addresses (the known) to layer 2 addresses (the unknown). Well, let’s follow the packet between our two routers.

Currently, R1 does not have the MAC address of R2 in its ARP cache.

Therefore, if R1 wants to ping R2, it will first need to find the MAC address with which to reach R2.

Note: R1 will ARP for R2’s MAC address because they are on the same subnet. Otherwise, R1 will ARP for the MAC address of its default gateway.

The packets captured during this ping are as shown below. Notice that the first two packets shown in the screenshot below belong to the ARP protocol, while the others are ICMP traffic.

To take a closer look at the ARP packets, I will click on the first one so that it is displayed in the packet details pane.

Notice that this packet is sent from cc:00:0d:98:00:00 (MAC address of R1’s Fa0/0) to a destination of all Fs, i.e., it is broadcast. The ARP message itself lets us know that R1 is making a request for the MAC address of the device at To put this into perspective, here is a diagram taken from the TCP/IP guide, showing the message format of ARP:

Notice that all the fields in this message format are also available in the packet capture in Wireshark. Therefore, Wireshark can help make seemingly abstract concepts more tangible.

One thing that used to confuse me with ARP was the difference between “Target MAC address” and the “destination MAC address” of the ARP packet. For example, in this case, the target MAC address carried in the ARP request packet is all 0s but the destination MAC address of this packet (look at the Ethernet portion of the packet) is all Fs, i.e., broadcast. Using Wireshark helped me understand this difference: an ARP request packet is broadcast to all devices on a subnet but since the target MAC address is not known, it will be all 0s.

The second ARP packet is the reply from R2 informing R1 of its MAC address.

Armed with this information, R1 is now able to successfully ping R2.

Filtering Captured Packets

There are times when you are only interested in packets of a particular type, e.g., from a particular IP address or of a specific protocol. This is where the filtering toolbar comes in handy. For example, if I wanted to look at only ARP packets in our capture, I will just type “arp” in the filter box and press Enter or click Apply.

Hint: Wireshark lets you know when your filter string is correct by making the box green. When the box is red, it means Wireshark does not recognize your filter expression.

You can also use the Expression button to build a filter string. It allows you search through the different protocols.

Example: EIGRP Hello intervals

Let’s look at another example of how Wireshark can help with your learning. Let’s say you are studying EIGRP and you come across where it says that EIGRP Hellos are sent every 5 seconds. Now you would like to see it for yourself.

I have configured EIGRP on my routers and I am still capturing traffic. To see only EIGRP packets sent by R1, I will use the following filter: “ip.addr== and eigrp”.

The problem is that the Time column does not really make sense to me without me doing some math in my head. By default, Wireshark displays the time in seconds from beginning of the capture. Therefore the first Hello packet in the screenshot above was seen by Wireshark 2465.3 seconds after I began capturing packets. This does not really work for me.

I can change the Time display format by navigating to View in the Menu and selecting Time Display Format:

Since we are filtering our captured packets display, the best format to use will be the “Seconds Since Previous Displayed Packet.”

Now I can see that EIGRP hello packets are indeed sent approximately every 5 seconds.


In this article, we have barely scratched the surface of Wireshark. Wireshark is a very great packet analysis tool especially for troubleshooting purposes. However, we have seen another side to Wireshark: using it to understand technologies at a deep packet level. There’s this good book I also read about Wireshark recently: Practical Packet Analysis – Using Wireshark to Solve Real World Network Problems. You can use it to further your understanding of Wireshark.

I hope you have found this article useful.

References and Further Reading