my task was to retrieve certain information from this frame. I was able to pull out header lengths and frag offsets and answer every other question except for Determine the window size and determine total bytes received from host. Even after plugging it into a packet decoder like https://www.gasmi.net/hpd/Any ideas on how to solve for these? Thanks community! asked 03 May '16, 14:19 murph fish edited 03 May '16, 20:14 Jim Aragon |
One Answer:
And, given that the purpose of a homework assignment is to determine what the person to whom the assignment was given knows - i.e., what you know - we shouldn't give you an answer, but should point you in the right direction to look for an answer. The first 14 bytes of data are the Ethernet header; there's a "type/length" field that indicates what comes after it. If it has a value that indicates that it's IPv4, what comes after that is an IPv4 header; that header has a field that indicates what comes after the IPv4 header. If that field indicates that it's TCP, what comes after the IPv4 header is a TCP segment header; from that you can determine the information you're looking for. Find some descriptions of the headers in question - the text for your class probably either has those descriptions or tells you where to find them - and use them to analyze the packet. answered 03 May '16, 15:39 Guy Harris ♦♦ showing 5 of 9 show 4 more comments |
And, no, editing your question to remove "I was assigned a homework assignment" doesn't mean people won't know you were given a homework assignment. You can't undo that....
^^ I am not looking for an answer here but I need more direction than that. I have no idea where to look for window size and such. I believe it is under options but I can't find it
Google on "window size" and see what protocol contains a window size field. In the packet decoder, expand that protocol and inspect ALL the fields.
Or just expand every section in the protocol decoder one by one and go through the list looking at each field. It's there.
And since this is a Wireshark Q & A site: It might be easier to load the packets into Wireshark and examine the fields there than using an online protocol decoder.
^^ That is the other problem. When loaded into wireshark I get a malformed packet. It doesn't show the TCP segment where I would find the window information.
Well, what does it show in Wireshark? I.e. are some of the layers displayed properly, and only TCP is malformed? How exactly did you "load it into Wireshark"?
https://www.gasmi.net/hpd/ turns the packet into something that it hands to the Wireshark dissector. It's reporting some errors, and it's correct to do so.
You might want to tell the instructor about the problems in that frame.
Well, my reason for "asking" was to point out that @murph fish may have not chosen the proper encapsulation when importing the frame, but yes, importing it as any other encapsulation type than Ethernet causes it to be dissected even less successfully. Maybe there is a copy-paste error as the dissection shows several distinct issues, not just a single one?
@Guy Harris @sindy Thank you both for your replies. This is why I reached out to the forum here. The scenario was host B receives an Ethernet frame from Host A. He then only gave the Ethernet Frame as a hexadecimal string like the one I posted above. No copy and paste mistakes either. If in that case it is confirmed that something is wrong with the data itself then I am happy to accept that answer because I think I am missing info as well. Oh and sindy I loaded it into wireshark using something I found on git hub which worked for other examples but not the one posted above. Thanks again, really appreciate it.
Okay, so let me just draw your attention to the fact that Wireshark can import from hex dump directly, using
File -> Import from Hex Dump
. The only thing you need to do is to save the hex stream into a text file, replace the end of line characters with spaces, and prepend the resulting single line of hex data with0000
(including the space) to indicate the offset of the first byte. If you'd need to import several packets, you'd just leave empty lines between them.Using the information obtained from the Wireshark dissection, are you able to explain to your instructor what exactly is wrong with the packet and why the TCP window size cannot be found in it? Maybe that was the actual goal of the assignment :-)