Professional Documents
Culture Documents
Attachment
Pacific
Simplicity
https://www.pacicsimplicity.ca/blog/reading-pack...
Size
One of the things I have learned over the years was how useful being able to read a hex-dump of a packet can be
without Wireshark. Reading Hex-dumps, header specifications and calculating hex to decimal can be frustrating, but I'll try
and break it down into an easy to follow tutorial. If your still interested and/or you are one of my students - read on!
Ethernet Header
The Ethernet header is the first header of the potential three in the frame - there are other types of headers or protocols, but for the
1 of 5
03/06/15 09:42
https://www.pacicsimplicity.ca/blog/reading-pack...
purpose of this tutorial we will just focus on Ethernet, IP, TCP, UDP and ICMP. If we Size
ignore the 8 bits that are in the preamble (Wireshark
Attachment
does this too!), then there are just 14 bytes in the header. 6 bytes for the source MAC address, 6 bytes for the destination MAC address
and 4 bytes for the Type. If this is an IP packet, the type will be 08 00.
IP Header
The IP header is the second header of the potential three in the frame.
UDP Header
The UDP header is the second header of the potential three in the frame.
TCP Header
The TCP header is another potential header of the three in the frame.
ICMP
Header
The ICMP header is another potential header of the three in the frame
OK So Now What?
You are probably thinking, okay, I see a bunch of fields, bits and bytes
and I have no idea what they mean... Have no fear; this is what you
need to do.. start off with this packet hex dump:
Each of those double groupings of letters/numbers equal 1 byte.
If you look at the highlighted part of the image (this is the packet
dump, the other numbers to the left are for reference) then 00 is
1 BYTE! And now you remember that 1 Byte is 8 bits and that
each of these header specifications is 32 bits across.
Now lets look at the same packet dump, but marked up to show where the boundaries are.
2 of 5
03/06/15 09:42
IP.
Attachment
https://www.pacicsimplicity.ca/blog/reading-pack...
Size
References
Information liberally borrowed and compiled from:
http://www.sans.org/security-resources/tcpip.pdf (http://www.sans.org/security-resources/tcpip.pdf)
3 of 5
03/06/15 09:42
Attachment
https://www.pacicsimplicity.ca/blog/reading-pack...
Size
Size
ip-header.png
15.65 KB
tcp-header.png
16.07 KB
udp-header.png
6.94 KB
icmp-header.png
8.17 KB
ethernet_hdr.png
34.03 KB
tcp-packet-dump.PNG
4.8 KB
tcp-packet-dump.mk_.fw_.png
66.55 KB
entire-capture.PNG
65.23 KB
Comments
Thanks
Submitted by Mike BCh (not verified) on Tue, 01/29/2013 - 02:55
Hi,
Submitted by Martijn (not verified) on Sun, 05/26/2013 - 09:11
Hi, "[...] other words, it is telling you that: the source MAC address is 00:15:6D:C4:27:4B, the destination MAC address is
54:04:A6:3C:ED:EB, and the Ether-type is 0800 which means that the IP Header is next. 0800 is the code for IP." According to the
picture, the Ethernet header first specifies the destination MAC address and then the destination MAC address. Your explanation is the
other way around. So, correct would be: "... the source MAC address is 54:04:A6:3C:ED:EB, the destination MAC address is
00:15:6D:C4:27:4B, ..." Or am I mistaking? Thanks for the great explanation though! Martijn
For TCP, it should be the first 2 bytes are the source port and followed by the next 2 byes should be the destination port since the TCP
protocol defines the source and destination to be 16 bits each. You have it explained as 4 bytes each for the source and destination. But
awesome explanation.
4 of 5
03/06/15 09:42
Attachment
https://www.pacicsimplicity.ca/blog/reading-pack...
Size
Great catch - it should reflect the changes once the site cache updates.
5 of 5
03/06/15 09:42