This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to read packets

0

Again, I'm a total beginner in terms of computer technology..

So could someone give me some sort of a guideline or reference as to how to read packets and what they mean, in "laymen" terms?

Thanks again.

asked 05 Nov '11, 11:30

Iapologize's gravatar image

Iapologize
1222
accept rate: 0%


One Answer:

0

I would start here and start clicking the links in the Terminology section to dig deeper. In particular, read about the OSI Model if you want to know what the purpose of the different layers you might see when you take a look at packets using a capturing tool.

How to read packets varies greatly depending on what link type and protocol type you're using. For most people this probably means starting by interpreting the Ethernet frame.

If you look at an Ethernet frame in Wireshark, the first thing you'll see is the destination MAC address. This tells you which device the packet is destined for, or if it's a broadcast or multicast address (intended for multiple devices). The Ethertype field indicates which kind of protocol the device reading the packet should use to interpret the rest of the packet. The various kinds of protocols which might operate over Ethernet are defined by IANA.

If a device on an Ethernet network reads a packet and determines the protocol is IPv4, it would then go on to interpret the IPv4 header and determine what kind of IP packet is inside. (Some possibilities are TCP, UDP, or ICMP - your web browser talks TCP, for example.)

Good luck!

answered 07 Nov '11, 17:39

MikeP's gravatar image

MikeP
12
accept rate: 0%

edited 07 Nov '11, 17:57