Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

Given the following Wireshark packet trace, Frame 1105: 214 bytes on wire (1712

ID: 3562075 • Letter: G

Question

Given the following Wireshark packet trace,

Frame 1105: 214 bytes on wire (1712 bits), 214 bytes captured (1712 bits)

    Arrival Time: Apr 21, 2011 09:44:37.453943000 CDT

    Epoch Time: 1303397077.453943000 seconds

    [Time delta from previous captured frame: 0.020200000 seconds]

    [Time delta from previous displayed frame: 0.020200000 seconds]

    [Time since reference or first frame: 84.457490000 seconds]

    Frame Number: 1105

    Frame Length: 214 bytes (1712 bits)

    Capture Length: 214 bytes (1712 bits)

    [Frame is marked: False]

    [Frame is ignored: False]

    [Protocols in frame: eth:ip:udp:data]

    [Coloring Rule Name: UDP]

    [Coloring Rule String: udp]

Ethernet II, Src: Cisco_e7:28:48 (00:13:1a:e7:28:48), Dst: Dell_b3:17:95 (00:1d:09:b3:17:95)

    Destination: Dell_b3:17:95 (00:1d:09:b3:17:95)

        Address: Dell_b3:17:95 (00:1d:09:b3:17:95)

        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)

        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

    Source: Cisco_e7:28:48 (00:13:1a:e7:28:48)

        Address: Cisco_e7:28:48 (00:13:1a:e7:28:48)

        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)

        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

    Type: IP (0x0800)

Internet Protocol, Src: 128.59.19.70 (128.59.19.70), Dst: 165.91.134.178 (165.91.134.178)

    Version: 4

    Header length: 20 bytes

    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

        0000 00.. = Differentiated Services Codepoint: Default (0x00)

        .... ..0. = ECN-Capable Transport (ECT): 0

        .... ...0 = ECN-CE: 0

    Total Length: 200

    Identification: 0x0000 (0)

    Flags: 0x02 (Don't Fragment)

        0... .... = Reserved bit: Not set

        .1.. .... = Don't fragment: Set

        ..0. .... = More fragments: Not set

    Fragment offset: 0

    Time to live: 47

    Protocol: UDP (17)

    Header checksum: 0x8b96 [correct]

        [Good: True]

        [Bad: False]

    Source: 128.59.19.70 (128.59.19.70)

    Destination: 165.91.134.178 (165.91.134.178)

User Datagram Protocol, Src Port: 6206 (6206), Dst Port: ndmp (10000)

    Source port: 6206 (6206)

    Destination port: ndmp (10000)

    Length: 180

    Checksum: 0xd10a [validation disabled]

        [Good Checksum: False]

        [Bad Checksum: False]

Data (172 bytes)

0000 80 00 01 15 00 00 ad 20 00 00 00 68 ff ff ff ff   ....... ...h....

0010 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................

0020 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................

0030 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................

0040 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................

0050 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................

0060 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................

0070 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................

0080 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................

0090 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................

00a0 ff ff ff ff ff ff ff ff ff ff ff ff               ............

    Data: 800001150000ad2000000068ffffffffffffffffffffffff...

    [Length: 172]

Draw the Application (Data) payload, then add the headers shown in this capture. You dont need to show the details of all header fields, but make sure to show the size of the payloads and headers at all layers, up to the 214 bytes that are transported on wire (i.e., over the physical layer).

Explanation / Answer

Wireshark itself works with different file formats. Two of them that you are probably interested in are "pcap" and "pcap-ng".

If you have recorded data in "pcap" format, the link type is stored in the "Link-layer header type" field in the pcap file header; see the pcap-savefile man page.

If you have recorded data using "pcap-ng" format, then link type is stored in Interface Description Block.

You can read more about these two formats here and there.

If you are reading a pcap or pcap-ng file with libpcap, the pcap_datalink() routine will return a DLT_ value specifying the link-layer header type. See the list of link-layer header types for a description of the DLT_ values and the headers that correspond to them. DLT_EN10MB is for Ethernet (the "10MB" is historical - it's used for all Ethernet speeds); DLT_PPP is the most likely type for PPP. If you have Wi-Fi packets with Wi-Fi headers (if you don't capture in monitor mode, you'll probably get Ethernet headers, and DLT_EN10MB on Wi-Fi adapters), you'll get DLT_IEEE802_11; if you also have "radio metadata" headers before the 802.11 headers, you'll get something such as DLT_IEEE802_11_RADIO or DLT_IEEE802_11_RADIO_AVS or DLT_PRISM_HEADER.

Do NOT assume what the link-layer header type is for the packets you will get from libpcap. ALWAYS call pcap_datalink() to determine the link-layer header type, and use that to parse the packets; if your code doesn't know how to parse packets for a particular DLT_ value, it should report an error and exit.

How do I read further data of packets? If I just read one byte, my program doesn't do anything, every variable gets empty.

Assuming that you record Ethernet data, you need to parse/process data in accordance with standard specifications. For example, first parse Ethernet frame. Even at that point, Ethernet frame can be of variable length. For example, given that tcpdump/wireshark does not record Preamble field, you need to read 15 octets to determine how much more you can/should read.

After you are done with Ethernet frame, you need to parse IP, then possibly UDP and/or TCP. Some other data can be in other formats, but in each and every case you have to carefully study the format specification and parse the data accordingly. Reading one byte will not get you anywhere. So I'd recommend you to start from learning basic network layers - Ethernet, IP, UDP, first, and then get back to the problem of parsing them.

At the end of the day, Wireshark is an open source program that does most of what you want to do as an exercise. Meaning that you can always download the source code, see what it does and learn from it.

Hope it helps. Good Luck!

Related Questions

Given the following C program, write all of the functions used in the program so
Question #3683372
Given the following C struct definition: struct node { int value; struct node *n
Question #3918971
Given the following C++ code, improve the code by eliminating length calls out o
Question #3668078
Given the following C++ program, draw the corresponding flowchart using Visio 20
Question #3671759
Given the following COMPANY relational database state, please display the result
Question #3888511
Given the following COMPANY relational database state, please display the result
Question #3890530
Given the following DNA coding sequence (the spaces are guides for the eye ONLY)
Question #82749
Given the following DNA sequence and PCR primers, underline and label the anneal
Question #144859
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
Given the following VHDL code, clearly explain what the assignment statement ins
Next
Given the following Year 12 Financial Statement data for a footwear company: Inc

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.