If you've ever wondered what actually happens on the wire when you run a ping command — or how a PC automatically gets its IP address — this post is for you. I set up a small network in GNS3, ran some pings, configured a DHCP server on a Cisco router, and captured everything with Wireshark. Here's exactly what I did and what I found.
The Problem I Was Solving
Networking theory is one thing. Seeing the packets is another.
I wanted to answer three practical questions:
- When a ping travels across a link, what IP and MAC addresses does Wireshark actually show — and do they change hop by hop?
- How do you configure a Cisco router as a DHCP server so that every PC on the segment gets an address automatically?
- What do the four DHCP messages (Discover → Offer → Request → Acknowledge) look like at Layer 2 and Layer 3?
Part A — ICMP (Ping) Analysis
Network Topology
The Part A topology has two routers (R1, R2), two switches, and four PCs spread across three subnets:
| Subnet | Network | Device Interfaces |
|---|---|---|
| Left LAN | 192.168.0.0/24 | R1 f0/0 = .0.1 · PC1 = .0.10 · PC2 |
| Link 1 (WAN) | 192.168.2.0/24 | R1 f2/0 = .2.1 · R2 f0/0 = .2.2 |
| Right LAN | 192.168.1.0/24 | R2 f2/0 = .1.1 · PC3 · PC4 = .1.10 |
Configuring R1
R1(config)# interface f0/0
R1(config-if)# ip address 192.168.0.1 255.255.255.0
R1(config-if)# no shutdown
R1(config-if)# exit
R1(config)# interface f2/0
R1(config-if)# ip address 192.168.2.1 255.255.255.0
R1(config-if)# no shutdown
R1(config-if)# exit
R1(config)# router rip
R1(config-router)# version 2
R1(config-router)# network 192.168.0.0
R1(config-router)# network 192.168.2.0
R1(config-router)# no auto-summary
Configuring R2
R2(config)# interface f2/0
R2(config-if)# ip address 192.168.1.1 255.255.255.0
R2(config-if)# no shutdown
R2(config)# interface f0/0
R2(config-if)# ip address 192.168.2.2 255.255.255.0
R2(config-if)# no shutdown
R2(config)# router rip
R2(config-router)# version 2
R2(config-router)# network 192.168.1.0
R2(config-router)# network 192.168.2.0
R2(config-router)# no auto-summary
Configuring PC1 and PC4 (Static IPs)
# PC1
PC1> ip 192.168.0.10 192.168.0.1 24
# PC4
PC4> ip 192.168.1.10 192.168.1.1 24
Task 1 — Ping R1 from PC1, Capture on Link 2
Link 2 sits between Switch1 and R1 (the f0/0 segment, 192.168.0.0/24). Wireshark was started on that link before the ping.
PC1> ping 192.168.0.1
Because source and destination are on the same subnet, the packet never leaves the LAN. At Layer 3 both addresses stay the same for every packet. At Layer 2 the source MAC is PC1's NIC and the destination MAC is R1's f0/0 interface — resolved via ARP before the first echo request goes out.
| Field | Value |
|---|---|
| Src IP | 192.168.0.10 |
| Dst IP | 192.168.0.1 |
| Src MAC | PC1 NIC MAC |
| Dst MAC | R1 f0/0 MAC |
Task 2 — Ping R2 from R1, Capture on Link 1
Link 1 is the 192.168.2.0/24 WAN link between the two routers.
R1# ping 192.168.2.2
Both ends of this link are directly connected, so IP addresses stay as-is. MACs are the router interface MACs on either side of Link 1.
| Field | Value |
|---|---|
| Src IP | 192.168.2.1 |
| Dst IP | 192.168.2.2 |
| Src MAC | R1 f2/0 MAC |
| Dst MAC | R2 f0/0 MAC |
Task 3 — Ping R2 from PC4, Capture on Link 3
Link 3 is the 192.168.1.0/24 right-side LAN between Switch2 and R2.
PC4> ping 192.168.1.1
The destination (R2 f2/0) is on the same subnet as PC4, so the packet is delivered directly. Wireshark on Link 3 sees PC4's MAC as source and R2's f2/0 MAC as destination.
| Field | Value |
|---|---|
| Src IP | 192.168.1.10 |
| Dst IP | 192.168.1.1 |
| Src MAC | PC4 NIC MAC |
| Dst MAC | R2 f2/0 MAC |
Key Insight — Why MACs Change But IPs Don't
IP addresses identify end-to-end communication and stay the same across the entire path. MAC addresses are only meaningful on the local segment — they change at every router hop because the router strips the old frame and builds a brand-new one for the next hop.
Part B — DHCP Configuration and DORA Capture
Network Topology
Part B is simpler: one router (R1) connected through a single switch to four PCs, all on the 192.160.0.0/24 subnet. R1 acts as the DHCP server.
Configuring the Interface on R1
R1(config)# interface f0/0
R1(config-if)# ip address 192.160.0.1 255.255.255.0
R1(config-if)# no shutdown
Configuring the DHCP Pool on R1
R1(config)# ip dhcp excluded-address 192.160.0.1
R1(config)# ip dhcp pool LAN_POOL_B
R1(dhcp-config)# network 192.160.0.0 255.255.255.0
R1(dhcp-config)# default-router 192.160.0.1
R1(dhcp-config)# dns-server 8.8.8.8
The excluded-address line protects the router's own IP from being handed out to a client. Everything from .2 upward is fair game.
Verifying the Interface
R1# show ip interface brief
Confirm that FastEthernet0/0 shows 192.160.0.1 with status up/up.
Requesting IPs on the PCs
PC1> ip dhcp
PC2> ip dhcp
PC3> ip dhcp
PC4> ip dhcp
Each PC runs the full DORA exchange and receives an address:
| PC | Assigned IP |
|---|---|
| PC1 | 192.160.0.2 |
| PC2 | 192.160.0.3 |
| PC3 | 192.160.0.4 |
| PC4 | 192.160.0.5 |
Verifying DHCP Bindings on R1
R1# show ip dhcp binding
This lists every IP that has been leased, along with the client MAC and lease expiry time.
The DORA Process — What Wireshark Shows
Wireshark was running on Link 1 (between R1 and Switch1) while PC1 ran ip dhcp. Applying the dhcp display filter reveals four packets:
Filter: dhcp
Discover
The PC has no IP yet. It broadcasts from 0.0.0.0 to 255.255.255.255, asking if any DHCP server is available.
| Field | Value |
|---|---|
| Src IP | 0.0.0.0 |
| Dst IP | 255.255.255.255 |
| Src MAC | PC1 NIC MAC |
| Dst MAC | ff:ff:ff:ff:ff:ff |
Offer
R1 responds with a proposed IP address, unicast back toward PC1.
| Field | Value |
|---|---|
| Src IP | 192.160.0.1 |
| Dst IP | 192.160.0.2 |
| Src MAC | R1 f0/0 MAC |
| Dst MAC | PC1 NIC MAC |
Request
PC1 broadcasts again, formally requesting the offered address.
| Field | Value |
|---|---|
| Src IP | 0.0.0.0 |
| Dst IP | 255.255.255.255 |
| Src MAC | PC1 NIC MAC |
| Dst MAC | ff:ff:ff:ff:ff:ff |
Acknowledge
R1 confirms the lease.
| Field | Value |
|---|---|
| Src IP | 192.160.0.1 |
| Dst IP | 192.160.0.2 |
| Src MAC | R1 f0/0 MAC |
| Dst MAC | PC1 NIC MAC |
How to Verify Everything Worked
# On R1 — confirm interface is up
R1# show ip interface brief
# On R1 — confirm leases are active
R1# show ip dhcp binding
# On any PC — confirm assigned address
PC1> show
# From PC — test connectivity to gateway
PC1> ping 192.160.0.1
What I Learned
- MACs are local, IPs are global. Every time a frame crosses a router, the Layer 2 header is completely rebuilt. The Layer 3 header is untouched.
- Wireshark placement matters. Capturing on Link 2 vs Link 1 gives completely different MAC addresses for the same ping, because the frame is re-encapsulated at R1.
- DHCP Discover and Request use broadcast at both layers — the PC literally has no address to use yet, so it shouts to everyone.
-
RIPv2 with
no auto-summaryis essential when your subnets could be summarized incorrectly by classful routing behaviour. -
ip dhcp excluded-addressmust be configured before the pool, or the router's own IP could be handed to a client and cause an address conflict.
Common Mistakes
| Mistake | What Goes Wrong | Fix |
|---|---|---|
Forgetting no shutdown on an interface |
Interface stays down, no traffic flows | Always run no shutdown after assigning an IP |
Wrong subnet in network command under RIP |
Routes not advertised to the other router | Match the exact network address of each interface |
Missing no auto-summary in RIPv2 |
Classful summarization silently drops subnets | Always add no auto-summary with RIPv2 |
| Not excluding the router IP from DHCP pool | Router's own IP could be leased to a PC | Use ip dhcp excluded-address before creating the pool |
| Applying the wrong Wireshark filter | All protocols shown, hard to find what you need | Use icmp or dhcp as the display filter |
| Capturing on the wrong link | MAC addresses won't match what you expect | Understand which segment you're on before starting a capture |
Conclusion
Setting up this lab made abstract networking concepts click in a way that textbooks alone never could. Watching the MAC address change at the router boundary while the IP stays constant is one of those genuine "aha" moments. And seeing the DORA exchange live in Wireshark makes DHCP feel concrete rather than magical.
If you're learning networking and haven't tried packet capture in GNS3 yet — start here. The tools are free, the setup is repeatable, and what you see in Wireshark will stick with you far longer than any diagram.
Top comments (0)