Home‎ > ‎CIS 140NA‎ > ‎

Lab 3: Switch Traffic

In this lab you will examine the packets that "leak" through a switch.


Switches only flood packets to all ports when: 
  1. The packet is destined for an unknown MAC address 
  2. The packet is a broadcast packet
This can make it difficult to see packets that aren't heading to the host that's running Wireshark. However, you can still learn a lot by plugging in and listening. In this lab you will listen to a switch from a host that stays quiet and see what packets are broadcast. 

Identifying Your Network Equipment

This lab requires you to use a switch. You probably have one already. Most Cable and DSL modems are both routers and switches. The pictures below show examples of common models of DSL and Cable modems. Highlighted are the ports that act as a switch:

With a wireless device, like the one shown below, the WiFi clients are connected just as if they're on the switch too. 

This lab has two parts. The required part and the extra credit. For the required part Computer A should be plugged into a switch port, but Computer B can be wired or wireless. For the extra credit part Computer A must be on the WiFi and Computer B can again be wired or wireless.

Begin Capturing

To do this lab you will need a network with a switch and at least two computers. Computer A will run Wireshark and Computer B will run a web browser. Computer B will be rebooted during the lab. If you don't have the right equipment at home come to the CIS lab. There you can use two workstations to complete the lab. Close all programs on Computer A before you start capturing. 

Begin a capture on Computer A.

Depending on the network you should begin to see packets. You may see Computer A using the network in the background (like downloading updates). Ignore these packets for this lab. 

Identify Broadcast or Multicast Traffic

Pick a broadcast packet in your capture and answer the following questions: 
  1. What is its packet number?
  2. What is the source and destination MAC address of the packet?
  3. To what protocol does the packet belong? 
  4. What is the packet's purpose? (Hint: Google the protocol)

Find Computer B's Traffic

Make note of Computer B's MAC address. With your capture still going shutdown Computer B and leave it off for several seconds. After a while start it up again. Doing this will cause the switch to forget what MAC addresses are on the port Computer B is connected to. When Computer B starts again you will see packets on Computer A. Answer the following questions:
  1. What is the MAC address of Computer B? (Look in its settings to find that information)
  2. Do you see any packets from Computer B?
  3. What is the packet number? 
  4. What is the protocol of the packet? 
After you are done you can stop the capture on Computer A. Save the contents of your capture with the filename switch-capture.pcapng 

Filter You Capture

Since you know the MAC address of computer B you can use Wireshark's display filter function to make it easy to find Computer B's packets. In the capture filter enter the following filter: 

    eth.addr == 00:00:00:00:00:00

Replace 00:00:00:00:00:00 with the MAC address of Computer B. If there are no packets repeat the previous step. Save your filtered packets into a separate file with the filename computerB-capture.pcapng

Wireless Extra Credit

This lab is possible to do on a wireless network. Capturing packets on a wireless network is not as simple as on a wired network and not all wireless cards are capable of being used by Wireshark. For extra credit repeat this lab using a wireless rather than a wired network. 

Turn In
  1. Your switch-capture.pcapng file.
  2. Your computerB-capture.pcapng file.  
  3. The answers to the questions in the lab
  4. (Optional) The wireless versions of above. 
Submit your homework on Canvas.


  • 15 points for correct capture files.
  • 5 points for answers that match your capture. 
  • 10 points extra credit for wireless capture.