[Winpcap-users] Question about how to interpertate the pkt_data

Guy Harris guy at alum.mit.edu
Fri Jan 16 23:14:00 GMT 2009


On Jan 16, 2009, at 2:56 PM, Wu Bo (ST-VS/EAP2.3) wrote:
> I have a question about how to interperated the raw(hex) data.
> 1) I get data from wireshark and found out that first 14 bytes from  
> pkt_data is about Ethernet II?
>
If the packet is an Ethernet packet (the link-layer type returned by  
pcap_datalink() is DLT_EN10MB), then the first 14 bytes of the packet  
are the Ethernet header.

> 2) next 20 bytes from pkt_data is Internet Protocol?
>
If the packet is an IPv4 packet (for example, if it's an Ethernet  
packet with a link-layer type of 0x0800), then the next 20 bytes are  
the fixed-length portion of the IPv4 header.

There might also be options, making the header longer than 20 bytes;  
see RFC 791 for details:

	http://tools.ietf.org/html/rfc791
> 3) What about the rest of the bytes, I know they represent some  
> different data, such as ICMP, TCP, SSL, TLSV1, UDP, etc. How can we  
> distinct the data between all these protocols? How do we know the  
> data we received is TCP protocol, or ICMP protocol, or SSL protocol?
>
SSL runs over TCP, so if the data is SSL the data received *is* TCP  
data.

ICMP, UDP, TCP, and some other protocols (such as SCTP) run on top of  
IP.

The IPv4 header has a "Protocol" field that indicates whether what  
follows the IPv4 header is ICMP, UDP, TCP, etc..

To determine whether a TCP packet is SSL/TLS, you can check whether  
the source or destination port number is 443; if it is, the packet  
probably contains SSL/TLS-over-TCP data.  SSL/TLS are used by other  
protocols, however; for example, if SMTP (mail protocol) is being  
carried over SSL/TLS, the only way to determine that is to see the  
STARTTLS in the beginning of the connection.
> 4) How can we find out whether the data contains password and user  
> name? I look at the wireshark's data and know that somethere it  
> contains user name, and the password is decryted, anyone know where  
> does these two located?
>
That depends on the protocol being used.


More information about the Winpcap-users mailing list