I need some assistance getting started with WireShark and identifying the data it is capturing. The source computer is Windows XP and the destination is Windows Server 2008. Below are a few lines from one packet of a capture. The send computer is IP address 192.10.11.227 (in hex c0 a0 0b e3) and the destination is 192.10.11.222 (in hex c0 a0 0b de) . I think that the sender has the server role while the receiver is client. Contrary to my book the source address is in byte number 001A, not in the first byte. So what are bytes 0000 through 0019? Starting with byte 0034 I can identify the payload as the data sent from the application. I take that as meaning the last four bytes of the header are 0030 through 0033. Is that correct? Please post a link to a web page that provides this information. I did some searches and was unable to find a match. Edit: after original post, I edited off the text display on the right side to make the post more readable. asked 24 Nov ‘11, 20:24  bkelly edited 25 Nov ‘11, 15:17  Guy Harris ♦♦ |
2 Answers:
Destination Ethernet address Source Ethernet address Ethernet type field = 0x0800 means IPv4 IPv4 version and header length field - version 4, 5 32-bit words or 20 bytes IPv4 Type of Service/whatever it's called code point; 0 means "ordinary boring packet" Total length of the IPv4 datagram; 0x05d3 = 1491 bytes Identification - 0x215d Flags and fragment offset - Don't Fragment and fragment offset of 0, meaning "not fragmented" Time to live; 0x80 = 128 Protocol; 0x06 = 6 = TCP Header checksum = 0x3be9 Source IP address = 0xc0 0c0a 0x0b 0xe3 = 192.10.11.227 Destination IP address = 0xc0 0x0a 0x0b 0xd3 = 192.10.11.222 TCP source port; 0xbf68 = 49000 TCP destination port; 0xd830 = 55344 Sequence number; 0x91da9b27 = 2447022887 Acknowledgment number; 0x7a567559 = 2052486489 Data offset; 0x5 = 5 32-bit words = 20 bytes Flags; 0x10 = ACK Window; 0xffff = 65535 Checksum; 0xd5ee Urgent pointer; 0x0000 = 0 That’s all TCP payload. It starts at 0x0036, not 0x0034; it’s preceded by 14 bytes of Ethernet header and 20 bytes of IP header and 20 bytes of TCP header, so it’s at an offset of decimal 54 = 0x36. Bytes 0000 through 0019 are the Ethernet header and the IPv4 header up to and including the first byte of the IP header checksum. The IP source address starts at 001B. For a description of the Ethernet header, see the Wikipedia page for the Ethernet frame. Note that the preamble and start-of-frame delimiter are NOT part of the capture. For a description of the IPv4 header, see the “Packet structure” section of the Wikipedia page for IPv4. For a description of the TCP header, see the “TCP segment structure” section for the Wikipedia page for TCP. answered 25 Nov ‘11, 14:59 Guy Harris ♦♦ edited 25 Nov ‘11, 15:19 |
I'm thinking your analysis is flawed. The raw bytes as you see them are the complete Ehternet frame. So they start with the 6 byte destination MAC address (a Broadcom device) and source MAC address (a Trenton Technology device). The rest I didn't figure out. but from the first line it seems that Wireshark did, so why not look at the packet details? answered 25 Nov '11, 00:06  Jaap ♦ |
And like Jaap said: This is wireshark is for, to do this analysis for you, instead of doing it yourself :-)
Ha, the man is a machine. Leaving tools at home and Stevens on the bookshelf. We’re such n00bs. ;)
The preamble threw me for a bit. I need to read more about that offset and what it means. I would like to let wireshark analyze everything, but there is something wrong with my code as detected by the receiving program not accepting my data. I need to check all the fields for correctness, and I think I found a problem. But that is in my code and not suitable for a question here.
Guy, Thank you for taking the time to write that all out.