ip/tcp packet decoding without wireshark
https://cs.stackexchange.com/questions/124246
-
29-09-2020 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
How can we manually read and interpret packets properly without using wireshark?
Now from the Ethernet header I know that the Destination MAC Address should be at the 5th byte (after converting bits/bytes). So from this data, I thought it would be 4a onwards. However, in reality it's 00:17:f2:d0:4c:82.
Same goes for the IP source destination. For instance, the source should be at 13-16 bytes. According to the readings, I guess it should be 0800 onwards. But in reality, it is on 0a 32 e7 85 but I don't get why? I am just confused on how to interpret this data correctly or maybe I am understanding the general header structure incorrectly.
https://ntquan87.wordpress.com/2015/08/17/reading-packet-hex-dumps-manually-no-wireshark/
Solution
My guess is that what you are seeing is a Level 2 Ethernet frame and therefore the preamble is missing. Also the Ethernet checksum seems to be missing. In this case everything seems to line up (the packet type inside the Ethernet frame, the IPv4 version, the IPv4 packet length, the packet type, i.e. TCP, inside the IP packet, ...). Then you'd read your packet as in the picture.
The TCP payload is
474554202f20485454502f312e300d0a
557365722d4167656e743a2057676574
2f312e31312e340d0a4163636570743a
202a2f2a0d0a486f73743a207777772e
696574662e6f72670d0a436f6e6e6563
74696f6e3a204b6565702d416c697665
0d0a0d0a
and decodes to:
GET / HTTP/1.0
User-Agent: Wget/1.11.4
Accept: */*
Host: www.ietf.org
Connection: Keep-Alive
which is coherent with the fact that the destination port is 80.
