This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Client/Server socket application sniff ?

0

I have done a small c# client/server chat with simple auth that runs on the tcp port 8822, I would like to sniff it to learn more about how the packets work and everything, I can capture the packets just fine but I am wondering about what I am seeing at the wireshark.

For example the first entry:

0000  00 30 b8 d3 d6 30 00 1f  d0 d2 28 52 08 00 45 00   .0...0.. ..(R..E.
0010  00 30 05 d3 40 00 80 06  8b 62 c9 50 d7 cd ae 24   [email protected] .b.P...$
0020  1a 50 6e bc 21 ef 0f c6  bc 34 00 00 00 00 70 02   .Pn.!... .4....p.
0030  ff ff bc e6 00 00 02 04  05 b4 01 01 04 02         ........ ......

How do I define where it starts and how do I read it ?

Unrealistic example 00 30 b8 d3 is a 4 byte and translates to 123123 or I should discard the first byte or first 2 bytes as trash data...

Is the first entry in the above code tag the raw packets or not ?

PS: if you are going to post books, please instead post links that maybe be hand and readable online without fees, thanks for the understanding.

EDIT:

So I have started understanding some of it:

header ? 00 30 b8 d3 d6 30 00 1f  d0 d2 28 52 08 00 
header size ? 45

asked 27 May '11, 21:20

Prixone's gravatar image

Prixone
6114
accept rate: 0%

edited 27 May '11, 22:01

2 Answers:

2

Have you looked at the decode pane of Wireshark, or just the hex view? The decode pane will decode most of the packet for you except the payload.

For example: the byte example 00 30 b8 d3 is neither a 4 byte value nor trash data, it's the first 4 bytes of the receiving MAC address (which is 00 30 b8 d3 d6 30). The sender's MAC is the next 6 bytes (00 1f d0 d2 28 52), and after that comes the 2 byte value for the ethertype (08 00, which means this is an IP packet). The 45 is indeed a combination of the header length as well as the IP protocol type, which is TCP in this case.

All of this you can see by looking at the decode pane. If you want to know which bytes are decoded to what you can mark them in the hex view and the decode pane will show you exactly what they mean (as far as there's a dissector that understands that part of the packet).

answered 28 May '11, 02:25

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 28 May '11, 02:29

@Jasper thanks for the compreensive answer, I wasnt aware of the click navigation thing until I read it here then I noticed that not only on the hex but on the bytes I could click and it would iterate with the above window to guide me thru what I was clicking at. Would all the initial data be considered as the header then and the payload the sent information for example ?

(28 May '11, 11:15) Prixone

Payload is what is transported by the packet, or, in short, everything after all protocol headers that are neccessary to transport it. So in your case, if you send application data via TCP, that will be the payload (or "sent information").

The bytes you quoted are only headers: Ethernet, IP, TCP, with TCP having a payload length of zero, meaning, there is no payload in the packet. Not surprising, since it's a SYN packet, which is used to establish the TCP session as part of the initial TCP three way handshake.

(29 May '11, 02:52) Jasper ♦♦

1

As this is the Wireshark Q&A site, I'm sure you have Wireshark installed. You can put your hexadecimal data in a text file and use "File -> Import" in (a recent) release of WIreshark to import it and it will show you exactly what each byte in your stream means...

Here is what you will see:

Frame 1: 62 bytes on wire (496 bits), 62 bytes captured (496 bits)
    Arrival Time: May 28, 2011 14:36:15.000000000 CEST
    Epoch Time: 1306586175.000000000 seconds
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Frame Length: 62 bytes (496 bits)
    Capture Length: 62 bytes (496 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ip:tcp]
    [Coloring Rule Name: TCP SYN]
    [Coloring Rule String: tcp.flags.syn==1]
Ethernet II, Src: Giga-Byt_d2:28:52 (00:1f:d0:d2:28:52), Dst: Riverdel_d3:d6:30 (00:30:b8:d3:d6:30)
    Destination: Riverdel_d3:d6:30 (00:30:b8:d3:d6:30)
        Address: Riverdel_d3:d6:30 (00:30:b8:d3:d6:30)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: Giga-Byt_d2:28:52 (00:1f:d0:d2:28:52)
        Address: Giga-Byt_d2:28:52 (00:1f:d0:d2:28:52)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol Version 4, Src: 201.80.215.205 (201.80.215.205), Dst: 174.36.26.80 (174.36.26.80)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
    Total Length: 48
    Identification: 0x05d3 (1491)
    Flags: 0x02 (Don't Fragment)
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (6)
    Header checksum: 0x8b62 [correct]
        [Good: True]
        [Bad: False]
    Source: 201.80.215.205 (201.80.215.205)
    Destination: 174.36.26.80 (174.36.26.80)
Transmission Control Protocol, Src Port: 28348 (28348), Dst Port: 8687 (8687), Seq: 0, Len: 0
    Source port: 28348 (28348)
    Destination port: 8687 (8687)
    [Stream index: 0]
    Sequence number: 0    (relative sequence number)
    Header length: 28 bytes
    Flags: 0x02 (SYN)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...0 .... = Acknowledgement: Not set
        .... .... 0... = Push: Not set
        .... .... .0.. = Reset: Not set
        .... .... ..1. = Syn: Set
            [Expert Info (Chat/Sequence): Connection establish request (SYN): server port 8687]
                [Message: Connection establish request (SYN): server port 8687]
                [Severity level: Chat]
                [Group: Sequence]
        .... .... ...0 = Fin: Not set
    Window size value: 65535
    [Calculated window size: 65535]
    Checksum: 0xbce6 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    Options: (8 bytes)
        Maximum segment size: 1460 bytes
        No-Operation (NOP)
        No-Operation (NOP)
        TCP SACK Permitted Option: True
    [Timestamps]
        [Time since first frame in this TCP stream: 0.000000000 seconds]
        [Time since previous frame in this TCP stream: 0.000000000 seconds]

answered 28 May '11, 05:39

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

@SYNbit thanks that helps a lot, I just started messing with wireshark and was aware of this panel but not entirely on how it worked until now.

(28 May '11, 11:15) Prixone