[Winpcap-users] Question about how to interpertate the pkt_data
Wu Bo (ST-VS/EAP2.3)
Bo.Wu at us.bosch.com
Mon Jan 19 15:49:02 GMT 2009
Hey guys,
4) How can we find out whether the data contains password and user name?
I look at the wireshark's data and know that somewhere it contains user
name, and the password is decrypted, anyone know where does these two
located?
A: That depends on the protocol being used.
Q: If I'm using either UDP or TCP, what bytes are containing these
information?
5) I'm curring using whether 100Mb and 1000Mb ethernet. If I called
pcap_datalink(), does this function return DLT_EN10MB?
-----Original Message-----
From: winpcap-users-bounces at winpcap.org
[mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Guy Harris
Sent: Friday, January 16, 2009 6:14 PM
To: winpcap-users at winpcap.org
Subject: Re: [Winpcap-users] Question about how to interpertate the
pkt_data
On Jan 16, 2009, at 2:56 PM, Wu Bo (ST-VS/EAP2.3) wrote:
> I have a question about how to interperated the raw(hex) data.
> 1) I get data from wireshark and found out that first 14 bytes from
> pkt_data is about Ethernet II?
>
If the packet is an Ethernet packet (the link-layer type returned by
pcap_datalink() is DLT_EN10MB), then the first 14 bytes of the packet
are the Ethernet header.
> 2) next 20 bytes from pkt_data is Internet Protocol?
>
If the packet is an IPv4 packet (for example, if it's an Ethernet
packet with a link-layer type of 0x0800), then the next 20 bytes are
the fixed-length portion of the IPv4 header.
There might also be options, making the header longer than 20 bytes;
see RFC 791 for details:
http://tools.ietf.org/html/rfc791
> 3) What about the rest of the bytes, I know they represent some
> different data, such as ICMP, TCP, SSL, TLSV1, UDP, etc. How can we
> distinct the data between all these protocols? How do we know the
> data we received is TCP protocol, or ICMP protocol, or SSL protocol?
>
SSL runs over TCP, so if the data is SSL the data received *is* TCP
data.
ICMP, UDP, TCP, and some other protocols (such as SCTP) run on top of
IP.
The IPv4 header has a "Protocol" field that indicates whether what
follows the IPv4 header is ICMP, UDP, TCP, etc..
To determine whether a TCP packet is SSL/TLS, you can check whether
the source or destination port number is 443; if it is, the packet
probably contains SSL/TLS-over-TCP data. SSL/TLS are used by other
protocols, however; for example, if SMTP (mail protocol) is being
carried over SSL/TLS, the only way to determine that is to see the
STARTTLS in the beginning of the connection.
> 4) How can we find out whether the data contains password and user
> name? I look at the wireshark's data and know that somethere it
> contains user name, and the password is decryted, anyone know where
> does these two located?
>
That depends on the protocol being used.
_______________________________________________
Winpcap-users mailing list
Winpcap-users at winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-users
More information about the Winpcap-users
mailing list