Scribd Logo
Upload

Welcome to Scribd!

  • Manual Packet Reading

    Uploaded by

    Tomislav Domić
    258 views5 pages
    The document provides a tutorial for manually reading packet hex dumps without using Wireshark. It begins by explaining bits and bytes, then covers converting hexadecimal to decimal and binary. It describes the anatomy of a network transmission including the Ethernet, IP, TCP, UDP and ICMP headers. The tutorial demonstrates analyzing a sample packet hex dump to determine information like source/destination addresses and TCP flags.

    Original Description:

    read tcp packet manually

    Original Title

    Manual Packet reading

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document provides a tutorial for manually reading packet hex dumps without using Wireshark. It begins by explaining bits and bytes, then covers converting hexadecimal to decimal and binary. It describes the anatomy of a network transmission including the Ethernet, IP, TCP, UDP and ICMP headers. The tutorial demonstrates analyzing a sample packet hex dump to determine information like source/destination addresses and TCP flags.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    258 views5 pages

    Manual Packet Reading

    Uploaded by

    Tomislav Domić
    The document provides a tutorial for manually reading packet hex dumps without using Wireshark. It begins by explaining bits and bytes, then covers converting hexadecimal to decimal and binary. It describes the anatomy of a network transmission including the Ethernet, IP, TCP, UDP and ICMP headers. The tutorial demonstrates analyzing a sample packet hex dump to determine information like source/destination addresses and TCP flags.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 5

    Reading Packet Hex Dumps Manually - No Wires...

    Attachment

    Pacific
    Simplicity

    https://www.pacicsimplicity.ca/blog/reading-pack...

    Size

    Reading Packet Hex Dumps Manually - No Wireshark!


    Submitted by admin on Mon, 09/17/2012 - 12:40

    One of the things I have learned over the years was how useful being able to read a hex-dump of a packet can be
    without Wireshark. Reading Hex-dumps, header specifications and calculating hex to decimal can be frustrating, but I'll try
    and break it down into an easy to follow tutorial. If your still interested and/or you are one of my students - read on!

    Bits Vs. Bytes


    Computers function on the most basic premise of Bits and Bytes. To be able to read a packet dump, you must
    understand these core terms.
    A BIT is the most basic value in computing either 1 or 0
    A BYTE is 8 BITS

    Converting Hexadecimal values to Decimal


    If you recall: Hexidecimal is an easier way to display information Vs. reading Binary and Hex values ranges between 0-9 and A-F (0-15). In
    other words- hexadecimal has 16 values which is much more human friendly!
    Example: 0x15A
    Reading right to left
    (1*16*16)+(5*16)+(10*1)
    256 + 80 + 10
    = 346 in decimal

    Converting Hexadecimal values to Binary


    OK, now that you know how to convert hexadecimal to decimal, lets convert hexadecimal to binary which requires an intermediate step of
    converting it to decimal and then to binary.
    Example: 0x81
    Reading right to left
    =(8*16)+(1*1)
    =128 + 1
    = 129 in decimal
    Now remember your powers of two - what 2^x fits into 129?
    The answer is 2^7 is 128
    = 2^7 + 2^0
    From right to left
    = 10000000 + 00000001 ( I cheated a bit on the binary addition, but if you want to know more.. look it up)
    = 10000001 in binary

    The Anatomy of A Network Transmission


    Moving forward - A frame is "the unit of transmission in a link layer protocol, and consists of a link-layer header followed by a packet." In other
    words, a frame's contents look like:
    1.
    2.
    3.
    4.

    Ethernet Header (is 14 bytes in size)


    IP Header (usually and is 20 bytes in size)
    Protocol Header (usually ICMP,UDP or TCP)
    Payload(optional)

    Ethernet Header
    The Ethernet header is the first header of the potential three in the frame - there are other types of headers or protocols, but for the

    1 of 5

    03/06/15 09:42

    Reading Packet Hex Dumps Manually - No Wires...

    https://www.pacicsimplicity.ca/blog/reading-pack...

    purpose of this tutorial we will just focus on Ethernet, IP, TCP, UDP and ICMP. If we Size
    ignore the 8 bits that are in the preamble (Wireshark
    Attachment
    does this too!), then there are just 14 bytes in the header. 6 bytes for the source MAC address, 6 bytes for the destination MAC address
    and 4 bytes for the Type. If this is an IP packet, the type will be 08 00.

    IP Header
    The IP header is the second header of the potential three in the frame.

    UDP Header
    The UDP header is the second header of the potential three in the frame.

    TCP Header
    The TCP header is another potential header of the three in the frame.

    ICMP

    Header
    The ICMP header is another potential header of the three in the frame

    OK So Now What?
    You are probably thinking, okay, I see a bunch of fields, bits and bytes
    and I have no idea what they mean... Have no fear; this is what you
    need to do.. start off with this packet hex dump:
    Each of those double groupings of letters/numbers equal 1 byte.
    If you look at the highlighted part of the image (this is the packet
    dump, the other numbers to the left are for reference) then 00 is
    1 BYTE! And now you remember that 1 Byte is 8 bits and that
    each of these header specifications is 32 bits across.
    Now lets look at the same packet dump, but marked up to show where the boundaries are.

    Reviewing the Ethernet Header


    You can see that 00 is one byte, the Ethernet header is 14 bytes
    - WAIT! How is the Ethernet Header 14 bytes??? This is
    determined by the Protocol specification - so if you look back up
    at the Ethernet Header, you can see that it is made up of two 6
    byte fields plus another 2 byte type field. In other words, it is telling you that: the source MAC address is 54:04:A6:3C:ED:EB, the
    destination MAC address is 00:15:6D:C4:27:4B , and the Ether-type is 0800 which means that the IP Header is next. 0800 is the code for

    2 of 5

    03/06/15 09:42

    Reading Packet Hex Dumps Manually - No Wires...

    IP.
    Attachment

    https://www.pacicsimplicity.ca/blog/reading-pack...

    Size

    Reviewing the IP Header


    The IP header has a few important fields, but mostly we are just interested in the protocol and IP address fields. From looking at the
    diagram, we can see that the Protocol field is 9th bytes in and on your 10 - you are there. In this case the protocol field is 06 which is TCP
    (UDP is 11, which is code 17 in decimal!). This means that the following header will be a TCP header.
    Before we move onto the TCP header, lets calculate the source and destination IP addresses by finding the start of the source IP address this is at bytes 13-16: C0 A8 02 65 and the destination IP address is at bytes 17-20: C7 3B 96 2A. To convert these bytes into an IP
    address, you must convert each of the 4 bytes to decimal. In other words:
    C0 =192, A8 = 168, 02 = 2 and 65 = 101. As a result the source IP address is 192.168.2.101.

    Reviewing the TCP Header


    Great if you have made it this far, your almost there to having most of the basics on figuring out what kind of TCP packet this is! Again
    from the TCP diagram above, we know that without any padding or extra proprietary data, the TCP header is 20 bytes long. If you didn't
    know what headers had been before this one, you could guesstimate by the number of bytes and work your way towards the potential
    packet header specification.
    From the specification, we know that the first 2 bytes are the Source Port, and the following 2 bytes are the Destination Port - to get these
    values just convert the hexadecimal to decimal.
    Unfortunately, getting the TCP flags requires a bit more leg work. From the start of the TCP header, count 13 bytes and the 14th bytes is
    the flags field! And the flags in hex are 50 11. Okay so lets convert the hexadecimal to binary so we can find out what bits have been set each flag is one bit.

    0x5011 is equal to 01010000 00010001


    We aren't concerned with the first byte or 8 bits, so looking at the last byte, we can see that the 4th and 8th bit are set which alternatively
    is ACK and FIN.
    Congratulations! You now hopefully understand the process required to read a hex dump of almost any packet (that follows
    standards). This can be a very useful skill for security professionals and developers alike! For a complete packet with translation see this Wireshark screenshot (http://www.pacificsimplicity.ca/sites/default/files/uploads/entire-capture.PNG)

    References
    Information liberally borrowed and compiled from:
    http://www.sans.org/security-resources/tcpip.pdf (http://www.sans.org/security-resources/tcpip.pdf)

    3 of 5

    03/06/15 09:42

    Reading Packet Hex Dumps Manually - No Wires...

    Attachment

    https://www.pacicsimplicity.ca/blog/reading-pack...

    Size

    Size

    ip-header.png

    15.65 KB

    tcp-header.png

    16.07 KB

    udp-header.png

    6.94 KB

    icmp-header.png

    8.17 KB

    ethernet_hdr.png

    34.03 KB

    tcp-packet-dump.PNG

    4.8 KB

    tcp-packet-dump.mk_.fw_.png

    66.55 KB

    entire-capture.PNG

    65.23 KB

    Comments
    Thanks
    Submitted by Mike BCh (not verified) on Tue, 01/29/2013 - 02:55

    Wonderful explanation, thanks a lot

    Hi,
    Submitted by Martijn (not verified) on Sun, 05/26/2013 - 09:11

    Hi, "[...] other words, it is telling you that: the source MAC address is 00:15:6D:C4:27:4B, the destination MAC address is
    54:04:A6:3C:ED:EB, and the Ether-type is 0800 which means that the IP Header is next. 0800 is the code for IP." According to the
    picture, the Ethernet header first specifies the destination MAC address and then the destination MAC address. Your explanation is the
    other way around. So, correct would be: "... the source MAC address is 54:04:A6:3C:ED:EB, the destination MAC address is
    00:15:6D:C4:27:4B, ..." Or am I mistaking? Thanks for the great explanation though! Martijn

    Awesome catch. I'll fix that


    Submitted by admin on Mon, 05/27/2013 - 08:45

    Awesome catch. I'll fix that up, thanks for the QA :)

    For TCP, it should be the


    Submitted by sukh (not verified) on Mon, 03/09/2015 - 11:06

    For TCP, it should be the first 2 bytes are the source port and followed by the next 2 byes should be the destination port since the TCP
    protocol defines the source and destination to be 16 bits each. You have it explained as 4 bytes each for the source and destination. But
    awesome explanation.

    4 of 5

    03/06/15 09:42

    Reading Packet Hex Dumps Manually - No Wires...

    Attachment

    https://www.pacicsimplicity.ca/blog/reading-pack...

    Size

    Great catch - it should


    Submitted by admin on Thu, 03/12/2015 - 11:04

    Great catch - it should reflect the changes once the site cache updates.

    5 of 5

    03/06/15 09:42

    You might also like