Wireshark As a Tool to Introductory Networking
I’ve been using Wireshark, or it’s precursor Ethereal, since the late 90s. For those of you who don’t know this amazing tool, Wireshark is a free, well-known, powerful, open source protocol analyzer. Wireshark, along with its built-in capture tools, gives network support people an amazing set of tools to see almost anything you need on the packet/frame level of your networks.
Wireshark is truly one of those “mere moments to understand, a lifetime to truly conquer” type of tools because of the sheer amount of information it provides. You use a capture tool (Wireshark includes two different ones) to grab a bunch of packets, then see those captured frames in the primary interface. This three-part interface is simple: The top part contains your captured frames, each row represents an individual frame. The middle has expandable details of whatever frame you’ve selected from the top area. The bottom third displays the same selected frame in raw (hexadecimal) format.
Using all the features of Wireshark is wildly complex and powerful but I love to use this basic interface as a tool to expose brand-new networking students – and I mean DAY ONE learners – to several fundamental networking concepts. Let’s see what Wireshark does for me instructionally.
Note: I’m not saying that I sit down with students on day 1 in front of a Wireshark screen without anything else. I’m a huge believer in giving students motivation via lecture, toy blocks (just like the ones I use in videos), hats, and plenty of jokes to bind individual concepts. Wireshark comes in after plenty of concept instruction.
Total Seminars has resources to help you study for your CompTIA Certifications
Practice Tests: TotalTester has hundreds of questions in a pool that allows you to create custom exams by exam domain or by chapter. Take exams in Practice mode with assistance (hints and explanations) or in Final mode to see if you are ready for the real exams. Complete explanations for each question.
Lab Simulations: TotalSims for A+ and Network+ have hundreds of online labs. Prepare for CompTIA’s performance-based questions and learn more about technical concepts covered on the exams.
Discount Exam Vouchers: Purchase a CompTIA voucher and save on the cost of your exams.
OSI
I like teaching the OSI model as it gives learners an organization to separate network features, especially layers 1, 2, and 3. Wireshark makes this downright fun by pre-organizing each of these layers in the second field. Note in the following figure how layer 2 MAC addresses and Layer 3 IP addresses show up so clearly. The top line, “Frame 4498” is Wireshark’s method for keeping all the frames in order.
If you’re a brave instructor, go ahead and show the port numbers as well. I love to use the line “IP gets you to the right computer, but ports get you to the right application.” This is also a SCREAMING opportunity to pull out those toy blocks and start talking about Protocol Data Units (PDUs). I’ll go ahead and start defining Ethernet frames, IP packets, TCP datagrams, etc. – and why not? They are literally LOOKING AT PDUs as you speak so why not define them?
Did I mention this is DAY ONE instruction? Heck, this is the morning of Day One!
Packetized Data
At this point, you’ve got the learners eating out of your hands with PDUs. Let’s go ahead and make sure they understand the idea of packetized data and the need for a stream of packets to send one piece of data. My favorite lab is to have them run a capture of a HTTP page (not HTTPS!) and run the “Follow TCP stream” feature to see the raw output. Then close the stream and show them the filter Wireshark adds to filter out all the other frames.
Encrypted/Unencrypted Data
I spend hours of course time on encryption but now that you just showed them unencrypted data why not just grab a quick HTTPS page and make a helluva teaser for those later lessons? Don’t linger on this as it’s just a teaser.
Switch Functions
I know. I’m old. I still lecture on hub vs. bridge vs. switch. Learners often have a problem with the idea of switches without a demonstration. Just plug into a switch and run Wireshark. Let the student look at the destination and source IP addresses – it’s only unicast and broadcast (you might want to avoid multicast this early but I’m still on the fence about that).
This might even be chance to add a column for destination MAC address and a filter for MAC address = FF.FF.FF.FF.FF.FF. These are easy to do in Wireshark.
Protocols
OK, I don’t do this on day one, but with a good intro to Wireshark early in the course I can turn back to it over and over. I love to show protocols at work using Wireshark. One of my favorites is DHCP. Here’s a screen of a four-step DHCP process. Quiz: Why does DHCP take four steps? Couldn’t it work in just two or maybe three? I’ll answer this in a few days.
These are just some ideas that you’ll want to consider next time you’re teaching an introductory networking course. I think Wireshark is an amazing tool with a simple, intuitive interface that wonderfully reinforces so many fundamental networking concepts. Give it a try!
About the author
