1.Use Wireshark to observe the working process of the ARP protocol and the ping command

ipconfig /all

arp -d  （As an administrator）
ether host A0-A4-C5-62-70-2D and (arp or icmp)
ping 10.110.103.152

now we can see:

Because arp -d is executed to clear the local cache, the local machine will cache the data message if it cannot find the MAC address in the ARP table, and then send an ARP request message in the form of broadcast.
Only the requested host will process the request (here, the default gateway).

2.用Wireshark观察tracert命令的工作过程：



Tracert先发送TTL为1的回应数据包，并在随后的每次发送过程将TTL递增1，直到目标响应或TTL达到最大值，从而确定路由。通过检查中间路由器发回的“ICMP已超时”的消息确定路由。

3.Use Wireshark to observe the establishment and termination of TCP connections

First configure filtering rules

ether host A0-A4-C5-62-70-2D and (tcp port 23)

Open Telnet client


Next we can see how the TCP connection is established and released

4.用Wireshark观察使用DNS来进行域名解析的过程

ether host A0-A4-C5-62-70-2D and (udp port 53)