This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How do you an decode Ethernet Frame?

0

For example: How would one decode the following ethernet frame?

00 26 b9 e8 7e f1 00 12 f2 21 da 00 08 00 45 00 05 dc e3 cd 20 10 35 06 25 eb 0a 0a 0a 02 c0 a8 01 03 c3 9e 0f 40 00 00 10 00 00 00 14 00 70 10 00 5c 59 99 00 00 02 04 05 b4 01 03 03 06 00 00 01 98 64 34 e8 90 84 98 20 12 18 19 04 85 80 00

I know that the first 6 bytes are the MAC destination address : 00 26 b9 e8 7e f1 The next 6 bytes are the source MAX address : 00 12 f2 21 da 00 The next 2 bytes show the ethernet type : 08 00 The next 4 bytes are : 45 00...Ipv4... "5" the number of bytes in the header.. and "00" means there are no differentiated services.

What I don't know is what anything after that is or how to read it.

Anyone help?

asked 30 Apr '14, 08:29

aharmon1's gravatar image

aharmon1
1111
accept rate: 0%


One Answer:

0

Uhm, try Wireshark? It decodes it for you?

You can select the decoded fields and see what by bytes are selected in the hex view, which is where the decode is based upon. Other than that you're probably going to read RFCs if you want to know how the protocols are structured in greater detail.

answered 30 Apr '14, 08:29

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 30 Apr '14, 08:31

I know Wireshark does it for you but I want to learn how to read it without the use of Wireshark.

(30 Apr '14, 08:30) aharmon1

Ok, as I added in my edit: play with Wireshark, see what it decodes to what, and other than that, books and RFCs ;-)

E.g: http://www.ietf.org/rfc/rfc791.txt Section 3.1

(30 Apr '14, 08:31) Jasper ♦♦