A good place to start research on packets is at:<br><a href="http://www.networksorcery.com/enp/default1002.htm">http://www.networksorcery.com/enp/default1002.htm</a><br><br>Long story short on all this, start processing the packet from the beginning and shove little pieces into headers as you go. Determining if you have got it in the right place by verifying the data.<br>
<br>I'm sure there are some ready made chunks of code out there for you on some of what you are looking for, but if you start from scratch you need to build headers for each of the protocols you want to play with and start plugging away. Code snippets below are from pascal, convert as needed for c, c++, c#, etc.<br>
<br>So to answer question #1<br>So first you need to determine if it is Ethernet II or if it is Ethernet 802.3. Not sure the best way to do this, but as I'm looking at some code I've done in the past I check to see if eth_proto is <=$05DC<br>
<br>Where this is what I had for headers:<br> EthernetII_Header = record<br> eth_dstmac : array[0..5] of Byte;<br> eth_srcmac : array[0..5] of Byte;<br> eth_proto : Word;<br> end;<br><br> Ethernet8023_Header = record<br>
eth_dstmac : array[0..5] of Byte;<br> eth_srcmac : array[0..5] of Byte;<br> eth_len : Word;<br> end;<br><br>6 bytes for dest mac address, 6 bytes for source mac address, and 2 bytes for what is either a protocol or a length, depending on what type of packet it is going to be.<br>
<br>Assuming it was an IP packet (Ethernet II) instead of an IPX packet (802.3) then you'd start looking at what value is in eth_proto (byte 13 and 14). If that value in byte 13 and 14 is less than or equal to $05DC, then it is Ethernet 802.3.<br>
<br>Table here:<br><a href="http://www.iana.org/assignments/protocol-numbers/">http://www.iana.org/assignments/protocol-numbers/</a><br><br>(you also need to check to see if it is a vlan, and if it is then do other things, but we'll assume it is not a vlan packet for now).<br>
<br>So assume byte 13 and 14 is 0800, then we have an IP packet.<br>Other values:<br>0806 = arp<br>872d = Cisco Wireless ALan context Control Protocol <br>etc<br><br>Question #2:<br>Anyway, 0800, IP packet, next determine if it is TCP or UDP, for this you'd look at the ip_protocol section in the IP_header after you've shoved the next 20 bytes into this:<br>
<br> IP_Header = record<br> ip_verlen : Byte;<br> ip_tos : Byte;<br> ip_totallength : Word;<br> ip_id : Word;<br> ip_offset : Word;<br> ip_ttl : Byte;<br> ip_protocol : Byte;<br>
ip_checksum : Word;<br> ip_srcaddr : array[0..3] of Byte;<br> ip_dstaddr : array[0..3] of Byte;<br> end;<br><br>IP may not always be 20 bytes in length since it can have IP Options seen as optional in this pic:<br>
<a href="http://www.networksorcery.com/enp/protocol/ip.htm">http://www.networksorcery.com/enp/protocol/ip.htm</a><br><br>So this is something you need to determine based on processing ip_verlen. This field gives you both the version of IP and the length of the header as I recall (sorry been a long time since I worked on this chunk of code)<br>
<br>Question #3 sorta:<br>Now that we have ip_protocol, we need to look at its value<br>0x11 = UDP<br>
0x59 = OSPF IGP<br>
0x06 = tcp<br>
<br>You can look up others here:<br><a href="http://www.networksorcery.com/enp/protocol/ip.htm#Protocol">http://www.networksorcery.com/enp/protocol/ip.htm#Protocol</a><br><br>Question #4:<br>Depends on the type of packet you were working with:<br>
Telnet/FTP, get to the data section after you've parsed through EthernetII, IP, TCP and start looking for a key to go off of<br><br>Ultimately look up the protocol you are interested in and parse little by little. <br>
<br>There is an open source project out there at sourceforge, in C# that you may be able to look at and get some ideas. Haven't ever looked specifically at its code, but it pulls some creds from different protocols:<br>
<br><a href="http://sourceforge.net/projects/networkminer/">http://sourceforge.net/projects/networkminer/</a><br><br>Eric<br><br><br>