[Winpcap-users] Question about how to interpertate the pkt_data
Guy Harris
guy at alum.mit.edu
Fri Jan 16 23:14:00 GMT 2009
On Jan 16, 2009, at 2:56 PM, Wu Bo (ST-VS/EAP2.3) wrote:
> I have a question about how to interperated the raw(hex) data.
> 1) I get data from wireshark and found out that first 14 bytes from
> pkt_data is about Ethernet II?
>
If the packet is an Ethernet packet (the link-layer type returned by
pcap_datalink() is DLT_EN10MB), then the first 14 bytes of the packet
are the Ethernet header.
> 2) next 20 bytes from pkt_data is Internet Protocol?
>
If the packet is an IPv4 packet (for example, if it's an Ethernet
packet with a link-layer type of 0x0800), then the next 20 bytes are
the fixed-length portion of the IPv4 header.
There might also be options, making the header longer than 20 bytes;
see RFC 791 for details:
http://tools.ietf.org/html/rfc791
> 3) What about the rest of the bytes, I know they represent some
> different data, such as ICMP, TCP, SSL, TLSV1, UDP, etc. How can we
> distinct the data between all these protocols? How do we know the
> data we received is TCP protocol, or ICMP protocol, or SSL protocol?
>
SSL runs over TCP, so if the data is SSL the data received *is* TCP
data.
ICMP, UDP, TCP, and some other protocols (such as SCTP) run on top of
IP.
The IPv4 header has a "Protocol" field that indicates whether what
follows the IPv4 header is ICMP, UDP, TCP, etc..
To determine whether a TCP packet is SSL/TLS, you can check whether
the source or destination port number is 443; if it is, the packet
probably contains SSL/TLS-over-TCP data. SSL/TLS are used by other
protocols, however; for example, if SMTP (mail protocol) is being
carried over SSL/TLS, the only way to determine that is to see the
STARTTLS in the beginning of the connection.
> 4) How can we find out whether the data contains password and user
> name? I look at the wireshark's data and know that somethere it
> contains user name, and the password is decryted, anyone know where
> does these two located?
>
That depends on the protocol being used.
More information about the Winpcap-users
mailing list