38 | Lesson 2 f. Click the ⫹ sign next to Internet Control Message Protocol to expand it and display the contents. This should display information about the ICMP packet, such as the fact that it is a reply packet, the checksum, the sequence number, and so on.

g. Click the ⫹ sign next to Internet Protocol. This will show you the version of IP

used IPv4, the size of the packet, and the source and destination IP addresses for the embedded ICMP packet. Both the ICMP and IP pieces of information correspond to the network layer of the OSI model.

h. Now click the ⫹ sign next to Ethernet. This is the network architecture used on

the data link layer. This field of information tells you the source and destination MAC addresses of the computers involved in the ping transaction.

i. Now click the ⫹ sign next to Frame there will be a frame number next to the

word “Frame”. This tells you the size of the frame captured, as well as when it was captured. These are the frames of information that the Wireshark application actually captures directly from the network adapter. Notice that the Ethernet frame is larger than the IP packet. That is because the IP packet is encapsulated into the frame. The encapsulation process started when the command prompt sent a 32-byte ping ICMP packet. This ping was then placed inside an IP packet with a total size of 60 bytes. The additional 28 bytes are known as layer 3 overhead, broken down between 20 bytes for the header includes the IP source and destination addresses and 8 bytes for additional overhead information for example, a trailer or checksum. Then, the IP packet was sent to the network adapter, where it was placed inside a frame. The frame added its own layer 2 overhead, an additional 14 bytes including the source and destination MAC address. This brought the grand total to 74 bytes—more than double what we started with. The frame was then sent out from the other computer’s network adapter in an effort to reply to the pinging computer as a serial bit stream across the network medium on the physical layer. This is what happens with every single communication, and the OSI model, particularly the communications subnetwork layers 1 through 3, helps us define what is happening behind the scenes by categorizing each step with a different layer. Routers also reside on the network layer. Routers make connections between one or more IP networks. They are known as the gateway to another IP network, and you may utilize their IP address in the Gateway address field of a computer’s IP Properties window to allow the com- puter access to other networks. Don’t confuse this definition of a gateway with the application layer gateway that will be defined later. Routers use protocols such as Routing Information Protocol RIP and Open Shortest Path First OSPF to direct packets to other routers and networks. UNDERSTANDING LAYER 3 SWITCHING Switches also reside on the network layer. A layer 3 switch differs from a layer 2 switch in that it determines paths for data using logical addressing IP addresses instead of physical addressing MAC addresses. Layer 3 switches are similar to routers—it’s how a network engineer implements the switch that makes it different. Layer 3 switches forward packets, whereas layer 2 switches forward frames. Layer 3 switches are usually managed switches; the network engineer can manage them utilizing the Simple Network Management Protocol SNMP, among other tools. This allows the network engineer to analyze all of the packets that pass through the switch, which can’t be done with a layer 2 switch. A layer 2 switch is more like an advanced version of a bridge, whereas a layer 3 switch is more like a router. Layer 3 switches are used in busy environments in which multiple IP networks need to be connected together. CERTIFICATION READY Can you define the differences between layer 2 and layer 3 switches? 2.1 There are many proto- col analyzers available. Microsoft incorporates one called Network Monitor into Windows Server products. TAKE NOTE