[Winpcap-users] Question about how to interpertate the pkt_data

Wu Bo (ST-VS/EAP2.3) Bo.Wu at us.bosch.com
Mon Jan 19 15:49:02 GMT 2009


Hey guys, 

4) How can we find out whether the data contains password and user name?
I look at the wireshark's data and know that somewhere it contains user
name, and the password is decrypted, anyone know where does these two
located?

A: That depends on the protocol being used.

Q: If I'm using either UDP or TCP, what bytes are containing these
information?

5) I'm curring using whether 100Mb and 1000Mb ethernet. If I called
pcap_datalink(), does this function return DLT_EN10MB? 



-----Original Message-----
From: winpcap-users-bounces at winpcap.org
[mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Guy Harris
Sent: Friday, January 16, 2009 6:14 PM
To: winpcap-users at winpcap.org
Subject: Re: [Winpcap-users] Question about how to interpertate the
pkt_data


On Jan 16, 2009, at 2:56 PM, Wu Bo (ST-VS/EAP2.3) wrote:
> I have a question about how to interperated the raw(hex) data.
> 1) I get data from wireshark and found out that first 14 bytes from  
> pkt_data is about Ethernet II?
>
If the packet is an Ethernet packet (the link-layer type returned by  
pcap_datalink() is DLT_EN10MB), then the first 14 bytes of the packet  
are the Ethernet header.

> 2) next 20 bytes from pkt_data is Internet Protocol?
>
If the packet is an IPv4 packet (for example, if it's an Ethernet  
packet with a link-layer type of 0x0800), then the next 20 bytes are  
the fixed-length portion of the IPv4 header.

There might also be options, making the header longer than 20 bytes;  
see RFC 791 for details:

	http://tools.ietf.org/html/rfc791
> 3) What about the rest of the bytes, I know they represent some  
> different data, such as ICMP, TCP, SSL, TLSV1, UDP, etc. How can we  
> distinct the data between all these protocols? How do we know the  
> data we received is TCP protocol, or ICMP protocol, or SSL protocol?
>
SSL runs over TCP, so if the data is SSL the data received *is* TCP  
data.

ICMP, UDP, TCP, and some other protocols (such as SCTP) run on top of  
IP.

The IPv4 header has a "Protocol" field that indicates whether what  
follows the IPv4 header is ICMP, UDP, TCP, etc..

To determine whether a TCP packet is SSL/TLS, you can check whether  
the source or destination port number is 443; if it is, the packet  
probably contains SSL/TLS-over-TCP data.  SSL/TLS are used by other  
protocols, however; for example, if SMTP (mail protocol) is being  
carried over SSL/TLS, the only way to determine that is to see the  
STARTTLS in the beginning of the connection.
> 4) How can we find out whether the data contains password and user  
> name? I look at the wireshark's data and know that somethere it  
> contains user name, and the password is decryted, anyone know where  
> does these two located?
>
That depends on the protocol being used.
_______________________________________________
Winpcap-users mailing list
Winpcap-users at winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-users



More information about the Winpcap-users mailing list