1

Packet Capture

GNS3 can capture packets on virtual Ethernet or serial interfaces! It will write the captured output to a libpcap

file that may be viewed using WireShark. WireShark may be downloaded on http://www.wireshark.org.

Check out the Wireshark page for up to date information

This is also a great way to hone your skills with Wireshark while not interrupting production network traffic. For

example: Suppose we want to capture packets passing through the Serial interface on R2 (s0/0). You will need

to have a simple topology ready to use for the next steps.

Although you can use packet capture immediately whenever you connect two devices together, it's more

meaningful when you have a working network running within GNS3. The first topology shows a simple

connection between Router 1 and Router 2.

Next, right-click somewhere along the line representing the link between R1 and R2. Choose Start Capture.

The drop-down arrow will allow you to choose which interface to monitor (R1 s0/0 or R2 s0/0). WireShark will

automatically start, provided it has been configured under the Preferences window.

Packet Capture

2

Notice that we can also choose the encapsulation type for serial interfaces. This depends on the type of

connection.

Choices are HDLC, PPP and Frame-Relay. The default encapsulation for Cisco serial interfaces is HDLC.

There are great discussions within the CCNA course that goes into whether you should or should not use either

HDLC or PPP. That is beyond the scope. Just know since we are using Cisco IOS, the default is HDLC for

serial. In this example, I just clicked on Ethernet Interfaces.

This is a welcome addition to GNS3. Sometimes the Cisco certification track will hammer in the concept ofusing commands to check connectivity, but how much simpler is it when you have WireShark telling you whatit sees coming across the link. In real working environments, we can fabricate all kinds of interfaces to ‘prove’something is connected. With WireShark as a third party, the packets have all kinds of information proving thelegitimacy of network connections. I used WireShark extensively to other agencies that believe issues that arisein the network are my team’s fault. WireShark time and again has saved my figurative ‘bacon’.

Now let’s generate some traffic to test our capture. I'm going to introduce a new topology called 'default'. Whydid I call it 'default'? Because this simple topology is already configured to give me virtual machines access tothe internet via GNS3! See screenshot below:

So router 1 has a couple of things going on here:1. It is providing DHCP leases to the local LAN inside this topology. The DHCP is issuing leases in the

172.17.0.0/24 subnet.2. It has NATing enabled and sends the packets out to the Cloud 1 interface.

Packet Capture

3

3. The client picks up it's local IP address and also is provided with the local Primary DNS. Sometimes, Ihave to go into the router and specify the local DNS server which would equate to the locale Gateway ofthe internet you are using.

4. Without getting too deep into the topology, we will use this to view the traffic on the link between SW1and R1 using Wireshark.

Right click on the link and select the appropriate interface.

After you click OK, Wireshark fires up and reads the packets going through this interface. As you can see,

I turned up the client called "Android KitKat" because it's a pretty small client that can browse the internet.

The wireshark on the lower left is capturing all the juicy tidbits in this connection. Now that this is running, you

can monitor the traffic and play with wireshark without messing with production networks that might get a little

perturbed about someone unauthorized sniffing packets.

The goal here is to show how to use Wireshark. Just right click the connection and choose the connection

to monitor. GNS3 will then make the call to Wireshark and provide the interface for which to monitor. It's that

easy!

Other great Wireshark Information in the Jungle: