I need some assistance getting started with WireShark and identifying the data it is capturing. The source computer is Windows XP and the destination is Windows Server 2008.
Below are a few lines from one packet of a capture. The send computer is IP address 184.108.40.206 (in hex c0 a0 0b e3) and the destination is 220.127.116.11 (in hex c0 a0 0b de) . I think that the sender has the server role while the receiver is client.
Contrary to my book the source address is in byte number 001A, not in the first byte. So what are bytes 0000 through 0019?
Starting with byte 0034 I can identify the payload as the data sent from the application. I take that as meaning the last four bytes of the header are 0030 through 0033. Is that correct?
Please post a link to a web page that provides this information. I did some searches and was unable to find a match.
Edit: after original post, I edited off the text display on the right side to make the post more readable.
Destination Ethernet address
Source Ethernet address
Ethernet type field = 0x0800 means IPv4
IPv4 version and header length field - version 4, 5 32-bit words or 20 bytes
IPv4 Type of Service/whatever it's called code point; 0 means "ordinary boring packet"
Total length of the IPv4 datagram; 0x05d3 = 1491 bytes
Identification - 0x215d
Flags and fragment offset - Don't Fragment and fragment offset of 0, meaning "not fragmented"
Time to live; 0x80 = 128
Protocol; 0x06 = 6 = TCP
Header checksum = 0x3be9
Source IP address = 0xc0 0c0a 0x0b 0xe3 = 18.104.22.168
Destination IP address = 0xc0 0x0a 0x0b 0xd3 = 22.214.171.124
TCP source port; 0xbf68 = 49000
TCP destination port; 0xd830 = 55344
Sequence number; 0x91da9b27 = 2447022887
Acknowledgment number; 0x7a567559 = 2052486489
Data offset; 0x5 = 5 32-bit words = 20 bytes
Flags; 0x10 = ACK
Window; 0xffff = 65535
Urgent pointer; 0x0000 = 0
That's all TCP payload. It starts at 0x0036, not 0x0034; it's preceded by 14 bytes of Ethernet header and 20 bytes of IP header and 20 bytes of TCP header, so it's at an offset of decimal 54 = 0x36.
Bytes 0000 through 0019 are the Ethernet header and the IPv4 header up to and including the first byte of the IP header checksum. The IP source address starts at 001B.
For a description of the Ethernet header, see the Wikipedia page for the Ethernet frame. Note that the preamble and start-of-frame delimiter are NOT part of the capture.
For a description of the IPv4 header, see the "Packet structure" section of the Wikipedia page for IPv4. For a description of the TCP header, see the "TCP segment structure" section for the Wikipedia page for TCP.
I'm thinking your analysis is flawed. The raw bytes as you see them are the complete Ehternet frame. So they start with the 6 byte destination MAC address (a Broadcom device) and source MAC address (a Trenton Technology device). The rest I didn't figure out. but from the first line it seems that Wireshark did, so why not look at the packet details?
answered 25 Nov '11, 00:06