This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

my task was to retrieve certain information from this frame.

01 28 c7 f9 6c e2 11 34 b4 c9 ad 20 08 00 45 00
04 ce a2 dd 30 01 48 06 12 2e 9e 41 6e df 80 77
f0 d4 32 77 00 53 01 10 01 11 01 02 21 22 70 14
01 01 10 cd 00 00 02 04 01 04 01 03 03 02 10 01
20 79 ef 21 df e1 12 67 23 12 ae ff ff 45 70 02
I was able to pull out header lengths and frag offsets and answer every other question except for Determine the window size and determine total bytes received from host. Even after plugging it into a packet decoder like https://www.gasmi.net/hpd/
Any ideas on how to solve for these? Thanks community!

asked 03 May '16, 14:19

murph%20fish's gravatar image

murph fish
6113
accept rate: 0%

edited 03 May '16, 20:14

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118


I was assigned a homework assignment

And, given that the purpose of a homework assignment is to determine what the person to whom the assignment was given knows - i.e., what you know - we shouldn't give you an answer, but should point you in the right direction to look for an answer.

The first 14 bytes of data are the Ethernet header; there's a "type/length" field that indicates what comes after it.

If it has a value that indicates that it's IPv4, what comes after that is an IPv4 header; that header has a field that indicates what comes after the IPv4 header.

If that field indicates that it's TCP, what comes after the IPv4 header is a TCP segment header; from that you can determine the information you're looking for.

Find some descriptions of the headers in question - the text for your class probably either has those descriptions or tells you where to find them - and use them to analyze the packet.

permanent link

answered 03 May '16, 15:39

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

1

And, no, editing your question to remove "I was assigned a homework assignment" doesn't mean people won't know you were given a homework assignment. You can't undo that....

(03 May '16, 18:05) Guy Harris ♦♦

^^ I am not looking for an answer here but I need more direction than that. I have no idea where to look for window size and such. I believe it is under options but I can't find it

(04 May '16, 08:21) murph fish

Google on "window size" and see what protocol contains a window size field. In the packet decoder, expand that protocol and inspect ALL the fields.

Or just expand every section in the protocol decoder one by one and go through the list looking at each field. It's there.

And since this is a Wireshark Q & A site: It might be easier to load the packets into Wireshark and examine the fields there than using an online protocol decoder.

(04 May '16, 08:39) Jim Aragon

^^ That is the other problem. When loaded into wireshark I get a malformed packet. It doesn't show the TCP segment where I would find the window information.

(04 May '16, 08:48) murph fish

Well, what does it show in Wireshark? I.e. are some of the layers displayed properly, and only TCP is malformed? How exactly did you "load it into Wireshark"?

(04 May '16, 12:08) sindy

https://www.gasmi.net/hpd/ turns the packet into something that it hands to the Wireshark dissector. It's reporting some errors, and it's correct to do so.

You might want to tell the instructor about the problems in that frame.

(04 May '16, 12:32) Guy Harris ♦♦

Well, my reason for "asking" was to point out that @murph fish may have not chosen the proper encapsulation when importing the frame, but yes, importing it as any other encapsulation type than Ethernet causes it to be dissected even less successfully. Maybe there is a copy-paste error as the dissection shows several distinct issues, not just a single one?

(04 May '16, 12:57) sindy

@Guy Harris @sindy Thank you both for your replies. This is why I reached out to the forum here. The scenario was host B receives an Ethernet frame from Host A. He then only gave the Ethernet Frame as a hexadecimal string like the one I posted above. No copy and paste mistakes either. If in that case it is confirmed that something is wrong with the data itself then I am happy to accept that answer because I think I am missing info as well. Oh and sindy I loaded it into wireshark using something I found on git hub which worked for other examples but not the one posted above. Thanks again, really appreciate it.

(04 May '16, 13:18) murph fish
1

Okay, so let me just draw your attention to the fact that Wireshark can import from hex dump directly, using File -> Import from Hex Dump. The only thing you need to do is to save the hex stream into a text file, replace the end of line characters with spaces, and prepend the resulting single line of hex data with 0000 (including the space) to indicate the offset of the first byte. If you'd need to import several packets, you'd just leave empty lines between them.

Using the information obtained from the Wireshark dissection, are you able to explain to your instructor what exactly is wrong with the packet and why the TCP window size cannot be found in it? Maybe that was the actual goal of the assignment :-)

(04 May '16, 13:29) sindy
showing 5 of 9 show 4 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×32
×28
×23
×5

question asked: 03 May '16, 14:19

question was seen: 1,400 times

last updated: 04 May '16, 13:29

p​o​w​e​r​e​d by O​S​Q​A