This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I need some assistance getting started with WireShark and identifying the data it is capturing. The source computer is Windows XP and the destination is Windows Server 2008.

Below are a few lines from one packet of a capture. The send computer is IP address 192.10.11.227 (in hex c0 a0 0b e3) and the destination is 192.10.11.222 (in hex c0 a0 0b de) . I think that the sender has the server role while the receiver is client.

Contrary to my book the source address is in byte number 001A, not in the first byte. So what are bytes 0000 through 0019?

Starting with byte 0034 I can identify the payload as the data sent from the application. I take that as meaning the last four bytes of the header are 0030 through 0033. Is that correct?

Please post a link to a web page that provides this information. I did some searches and was unable to find a match.

Edit: after original post, I edited off the text display on the right side to make the post more readable.

No. Time      Source        Destination   Protocol  Info
26  61.060962 192.10.11.227 192.10.11.222 TCP       49000 > 55344 [ACK] Seq=1

0000 00 10 18 4f 8e 80 00 10 6f 0f 20 26 08 00 45 00
0010 05 de 21 5d 40 00 80 06 3b e9 c0 0a 0b e3 c0 0a
0020 0b de bf 68 d8 30 91 da 9b 27 7a 56 75 59 50 10
0030 ff ff d5 ee 00 00 14 06 00 00 00 00 00 00 00 00
0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0050 00 00 00 00 00 00 01 00 00 00 04 00 00 00 17 01
0060 00 00 02 00 00 00 04 00 00 00 ec 88 38 2a 03 00
0070 00 00 04 00 00 00 00 00 00 00 05 00 00 00 04 00
0080 00 00 00 00 00 00 04 00 00 00 c8 05 00 00 00 00

asked 24 Nov '11, 20:24

bkelly's gravatar image

bkelly
11235
accept rate: 0%

edited 25 Nov '11, 15:17

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196


0000 00 10 18 4f 8e 80

Destination Ethernet address

                        00 10 6f 0f 20 26

Source Ethernet address

                                          08 00

Ethernet type field = 0x0800 means IPv4

                                                45

IPv4 version and header length field - version 4, 5 32-bit words or 20 bytes

                                                   00

IPv4 Type of Service/whatever it's called code point; 0 means "ordinary boring packet"

0010 05 de

Total length of the IPv4 datagram; 0x05d3 = 1491 bytes

           21 5d

Identification - 0x215d

                 40 00

Flags and fragment offset - Don't Fragment and fragment offset of 0, meaning "not fragmented"

                       80

Time to live; 0x80 = 128

                          06

Protocol; 0x06 = 6 = TCP

                             3b e9

Header checksum = 0x3be9

                                    c0 0a 0b e3

Source IP address = 0xc0 0c0a 0x0b 0xe3 = 192.10.11.227

                                                 c0 0a

0020 0b de

Destination IP address = 0xc0 0x0a 0x0b 0xd3 = 192.10.11.222

           bf 68

TCP source port; 0xbf68 = 49000

                 d8 30

TCP destination port; 0xd830 = 55344

                       91 da 9b 27

Sequence number; 0x91da9b27 = 2447022887

                                   7a 56 75 59

Acknowledgment number; 0x7a567559 = 2052486489

                                               50

Data offset; 0x5 = 5 32-bit words = 20 bytes

                                                  10

Flags; 0x10 = ACK

0030 ff ff

Window; 0xffff = 65535

           d5 ee

Checksum; 0xd5ee

                 00 00

Urgent pointer; 0x0000 = 0

                       14 06 00 00 00 00 00 00 00 00
0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0050 00 00 00 00 00 00 01 00 00 00 04 00 00 00 17 01
0060 00 00 02 00 00 00 04 00 00 00 ec 88 38 2a 03 00
0070 00 00 04 00 00 00 00 00 00 00 05 00 00 00 04 00
0080 00 00 00 00 00 00 04 00 00 00 c8 05 00 00 00 00

That's all TCP payload. It starts at 0x0036, not 0x0034; it's preceded by 14 bytes of Ethernet header and 20 bytes of IP header and 20 bytes of TCP header, so it's at an offset of decimal 54 = 0x36.

Bytes 0000 through 0019 are the Ethernet header and the IPv4 header up to and including the first byte of the IP header checksum. The IP source address starts at 001B.

For a description of the Ethernet header, see the Wikipedia page for the Ethernet frame. Note that the preamble and start-of-frame delimiter are NOT part of the capture.

For a description of the IPv4 header, see the "Packet structure" section of the Wikipedia page for IPv4. For a description of the TCP header, see the "TCP segment structure" section for the Wikipedia page for TCP.

permanent link

answered 25 Nov '11, 14:59

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

edited 25 Nov '11, 15:19

And like Jaap said: This is wireshark is for, to do this analysis for you, instead of doing it yourself :-)

(25 Nov '11, 15:16) SYN-bit ♦♦

Ha, the man is a machine. Leaving tools at home and Stevens on the bookshelf. We're such n00bs. ;)

(25 Nov '11, 20:26) Jaap ♦

The preamble threw me for a bit. I need to read more about that offset and what it means. I would like to let wireshark analyze everything, but there is something wrong with my code as detected by the receiving program not accepting my data. I need to check all the fields for correctness, and I think I found a problem. But that is in my code and not suitable for a question here.

Guy, Thank you for taking the time to write that all out.

(26 Nov '11, 19:27) bkelly

I'm thinking your analysis is flawed. The raw bytes as you see them are the complete Ehternet frame. So they start with the 6 byte destination MAC address (a Broadcom device) and source MAC address (a Trenton Technology device). The rest I didn't figure out. but from the first line it seems that Wireshark did, so why not look at the packet details?

permanent link

answered 25 Nov '11, 00:06

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×248
×24

question asked: 24 Nov '11, 20:24

question was seen: 15,475 times

last updated: 27 Nov '11, 05:37

p​o​w​e​r​e​d by O​S​Q​A