When analyzing a capture of a login, how do you determine how many IP packets were generated during the process of the login? I guess part of the answer would need to address how to determine which packets were part of the process so the question is probably better worded as: how are IP packets identified as part of the login? asked 21 Nov '13, 22:13 pj88 edited 22 Nov '13, 03:02 Kurt Knochner ♦ |
2 Answers:
IP doesn't really care about logins. That kind of information is exchanged on much higher layers, e.g. HTTP or FTP etc. So you need to ask yourself a different question: How does the login process work? What protocol does it use? And how many packets do you need to exchange the information for that? Logins can work quite differently for different protocols: some just send a packet saying "this is my username, this is my password, and I'd like to login". Others do it in a much more complex way:
That example needs at least 6 Packets, going back and forth, plus probably some for the TCP session setup. It can get even more complex, when there are Challenge-Response or Private/Public key mechanisms involved. answered 21 Nov '13, 22:54 Jasper ♦♦ edited 21 Nov '13, 22:55 |
I would do it this way
This will only work if the communication is not encrypted or you are able to decrypt it (SSL/TLS decryption in Wireshark). Regards answered 22 Nov '13, 02:12 Kurt Knochner ♦ edited 22 Nov '13, 11:41 |