[Winpcap-users] Question about how to interpertate the pkt_data

Fri Jan 16 23:56:51 GMT 2009

A good place to start research on packets is at:
http://www.networksorcery.com/enp/default1002.htm

Long story short on all this, start processing the packet from the beginning
and shove little pieces into headers as you go.  Determining if you have got
it in the right place by verifying the data.

I'm sure there are some ready made chunks of code out there for you on some
of what you are looking for, but if you start from scratch you need to build
headers for each of the protocols you want to play with and start plugging
away.  Code snippets below are from pascal, convert as needed for c, c++,
c#, etc.

So to answer question #1
So first you need to determine if it is Ethernet II or if it is Ethernet
802.3.  Not sure the best way to do this, but as I'm looking at some code
I've done in the past I check to see if eth_proto is <=$05DC

Where this is what I had for headers:
 EthernetII_Header = record
   eth_dstmac    : array[0..5] of Byte;
   eth_srcmac    : array[0..5] of Byte;
   eth_proto     : Word;
 end;

 Ethernet8023_Header = record
   eth_dstmac    : array[0..5] of Byte;
   eth_srcmac    : array[0..5] of Byte;
   eth_len       : Word;
 end;

6 bytes for dest mac address, 6 bytes for source mac address, and 2 bytes
for what is either a protocol or a length, depending on what type of packet
it is going to be.

Assuming it was an IP packet (Ethernet II) instead of an IPX packet (802.3)
then you'd start looking at what value is in eth_proto (byte 13 and 14).  If
that value in byte 13 and 14 is less than or equal to $05DC, then it is
Ethernet 802.3.

Table here:
http://www.iana.org/assignments/protocol-numbers/

(you also need to check to see if it is a vlan, and if it is then do other
things, but we'll assume it is not a vlan packet for now).

So assume byte 13 and 14 is 0800, then we have an IP packet.
Other values:
0806 = arp
872d = Cisco Wireless ALan context Control Protocol
etc

Question #2:
Anyway, 0800, IP packet, next determine if it is TCP or UDP, for this you'd
look at the ip_protocol section in the IP_header after you've shoved the
next 20 bytes into this:

 IP_Header = record
   ip_verlen       : Byte;
   ip_tos          : Byte;
   ip_totallength  : Word;
   ip_id           : Word;
   ip_offset       : Word;
   ip_ttl          : Byte;
   ip_protocol     : Byte;
   ip_checksum     : Word;
   ip_srcaddr      : array[0..3] of Byte;
   ip_dstaddr      : array[0..3] of Byte;
 end;

IP may not always be 20 bytes in length since it can have IP Options seen as
optional in this pic:
http://www.networksorcery.com/enp/protocol/ip.htm

So this is something you need to determine based on processing ip_verlen.
This field gives you both the version of IP and the length of the header as
I recall (sorry been a long time since I worked on this chunk of code)

Question #3 sorta:
Now that we have ip_protocol, we need to look at its value
0x11 = UDP
0x59 = OSPF IGP
0x06 = tcp

You can look up others here:
http://www.networksorcery.com/enp/protocol/ip.htm#Protocol

Question #4:
Depends on the type of packet you were working with:
Telnet/FTP, get to the data section after you've parsed through EthernetII,
IP, TCP and start looking for a key to go off of

Ultimately look up the protocol you are interested in and parse little by
little.

There is an open source project out there at sourceforge, in C# that you may
be able to look at and get some ideas.  Haven't ever looked specifically at
its code, but it pulls some creds from different protocols:

http://sourceforge.net/projects/networkminer/

Eric
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090116/afcf6701/attachment.htm