**Wireshark Mini-Project: ICMP Echo Request and Reply (Ping Test)**

Project Title:
Visualizing ICMP Echo Requests and Replies Using Wireshark

Project Goal:
To capture and analyze ICMP Echo Requests and Echo Replies using Wireshark, providing a concrete view of how basic network diagnostics like ping operate at the packet level. This project focuses on identifying ICMP packet structure, understanding the request-response behavior, and reinforcing Layer 3 (network layer) concepts.

Steps:
Open Wireshark on your monitoring system (e.g., Dell OptiPlex).

Set a display filter:
icmp
(This will isolate only Internet Control Message Protocol traffic.)

Begin capturing traffic on the active network interface (e.g., Wi-Fi or Ethernet).

Open a terminal or PowerShell window and run a ping to an external address:
(Limit it to 4–5 packets to avoid clutter.)
Run a ping to an external address using a limited count to avoid clutter:
ping www.google.com -n 4

This will send exactly 4 ICMP Echo Requests and receive up to 4 ICMP Echo Replies, giving a total of 8 ICMP packets, which is ideal for focused Wireshark analysis.


Stop the capture after the ping finishes.

Review the captured packets, focusing on:

ICMP Echo Request (Type 8)

ICMP Echo Reply (Type 0)

Round-trip timing (visible in Info column)

TTL, packet length, and ID fields in expanded view

What You’re Looking For (Expected Output):
Alternating request-reply packet pairs (every request should have a reply).

Source: your computer; Destination: the IP resolved for www.google.com.

Consistent structure:

Type: 8 for request, 0 for reply

Code: 0 in both cases

Identifier and Sequence Number: to match requests and replies

Checksum: calculated for integrity

RTT (Round Trip Time): inferred from time delta between request and reply

**Educational Value / Cybersecurity Relevance:**
Why is this relevant to cybersecurity?

ICMP is a reconnaissance vector:
Attackers often use ICMP for network discovery (e.g., ping sweeps, Smurf attacks).
Understanding how it works helps analysts detect abnormal ICMP behavior.

Analyzing network reachability:
ICMP traffic is used in incident response to test device availability (e.g., "Is this endpoint online?").

Central to anomaly detection:
In SIEM platforms and packet captures, unexpected spikes in ICMP traffic are often tied to malicious behavior, such as:

Botnet beaconing

DDoS attempts

Lateral movement probes

Network hardening decisions:
Some organizations restrict ICMP at the firewall level to avoid abuse.
A cybersecurity analyst must know what ICMP traffic looks like and why it matters.

**Wireshark ICMP Echo Request and Reply (Ping Test)**

Goal:
To observe and analyze the ICMP echo request and echo reply behavior using a simple ping command and Wireshark packet capture. This project reinforces the structure of ICMP packets, IPv6 behavior, and the concept of hop limits in internet communication.

Summary of Events and Observations:
Ping Command Execution (PowerShell Terminal):
The following command was executed on the Windows system:
**ping www.google.com -n 4**

Output:
Four ICMP Echo Requests were sent.
Four ICMP Echo Replies were received.
Destination resolved to an IPv6 address: 2607:f8b0:4023:1009::63.
Response times averaged ~64ms.
Zero packet loss was reported.

Wireshark Packet Capture:
The capture interface used was Wi-Fi.
A filter for ICMPv6 was applied post-capture using the display filter bar.
Out of hundreds of packets, eight were identified as related to the ping test:
Four Echo Requests and Four Echo Replies.

Packet Details (Selected Pair):

Frame 991 – ICMPv6 Echo Request:
Source: DESKTOP-UPKRV33.attlocal.net
Destination: www.google.com
Hop Limit: 128 (default for outbound traffic)
Identifier: 0x0001
Sequence: 16

Frame 998 – ICMPv6 Echo Reply:
Source: www.google.com
Destination: DESKTOP-UPKRV33.attlocal.net
Hop Limit: 54
Identifier: 0x0001
Sequence: 16
Response Time: 68.785 ms

**Key Interpretations:**

Echo Request/Reply Structure:
ICMPv6 packets maintain the same conceptual structure as IPv4 ICMP. A Type 128 is an echo request, and a Type 129 is an echo reply. Sequence numbers and identifiers allow tracking of individual requests and replies.

IPv6 In Use:
The ping to www.google.com resolved to an IPv6 address, showing that Google services prioritize IPv6 connectivity. This provides an opportunity to explore the differences in how IPv6 routes traffic.

Hop Limit Analysis:
The outbound Echo Request had a Hop Limit of 128, typical for Windows systems. The reply returned with a Hop Limit of 54, indicating that it traversed approximately 74 network hops on the return path (128 – 54 = 74).
This confirms the remote nature of the destination and illustrates how Hop Limits (like IPv4 TTL values) can be used for path tracing, routing diagnostics, and even spoofing detection in cybersecurity.

Security Analysis Context:
Relevance in Cybersecurity Workflows:
While ICMP Echo Requests are simple and often overlooked, analyzing them is a core part of understanding:

Basic network reachability

Routing paths

Detection of misconfigured or spoofed hosts

Network mapping in reconnaissance

Anomalies like ICMP floods or scanning activity

Hop Limit (TTL) Use in Threat Hunting:

Abnormal or inconsistent hop counts are sometimes used to:

Detect Man-in-the-Middle attacks

Uncover IP spoofing

Identify unauthorized routing changes

**Conclusion:**

This project demonstrated how a basic ping test, when combined with Wireshark analysis, reveals rich layers of networking insight. By capturing and analyzing just eight packets, we were able to confirm IPv6 communication, verify host identity through MAC and IP data, and evaluate route distance using hop limit values
