In this chapter you'll see packets in their raw and then decoded form. Don't worry about understanding what these packets mean (yet), just focus on the fact that packets have a well-defined structure.
So without futher ado, let me introduce the packet:
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
0000 ff ff ff ff ff ff 00 01 02 48 52 18 08 06 00 01
0010 08 00 06 04 00 01 00 01 02 48 52 18 ac 10 01 a9
0020 00 00 00 00 00 00 ac 10 01 14
This is how a packet appears on the network (in bold) and how it is seen by hosts that send and receive it--just a stream of bytes. I've included column and row heading which indicate the hexadecimal byte offsets of each byte in the packet.
Packets are often represented using hexadecimal notation with each byte having possible values of 0x00 - 0xFF (0 - 255 decimal). The location of each byte is also identifed using hexadecimal byte offsets. For example, the first byte of the packet above is at byte offset 0x0000 and the last byte is at offset 0x0029. Since 0x0029 is equal to decimal 42 we know this packet contains a total of 42 bytes.
Though this data appears to be random and meaningless, it is anything but. The beauty of protocols is by their very definition there are stringent rules that define EXACTLY what each byte means and there is absolutely no deviation from these rules (except when the protocol has been mis-implemented).
Protocol analyzers capture raw packets from the network, and apply the well-known protocol rules to decode packets into a more human-readable form.
Here's a decoded version of the above packet:
Frame 1 (42 on wire, 42 captured)
Arrival Time: Apr 9, 2002 10:34:09.107196000
Frame Number: 1
Packet Length: 42 bytes
Capture Length: 42 bytes
Ethernet II
Destination: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)
Source: 00:01:02:48:52:18 (00:01:02:48:52:18)
Type: ARP (0x0806)
Address Resolution Protocol (request)
Hardware type: Ethernet (0x0001)
Protocol type: IP (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: request (0x0001)
Sender MAC address: 00:01:02:48:52:18 (00:01:02:48:52:18)
Sender IP address: 172.16.1.169 (172.16.1.169)
Target MAC address: 00:00:00:00:00:00 (00:00:00:00:00:00)
Target IP address: 172.16.1.20 (172.16.1.20)
This packet is an ARP (Address Resolution Protocol) request, made by a host with an IP address of 172.16.1.169 which is attempting to identify the Ethernet address held by a host with an IP address of 172.16.1.20. We'll examine ARP in further detail later on.
Let's go through the decoded packet section by section so that you can see how the analyzer is making its decisions.
First the analyzer displays a summary of the packet. Its important to understand that none of this data is actually contained in the packet itself, rather this is information the analyzer is generating.
Frame 1 (42 on wire, 42 captured)
Arrival Time: Apr 9, 2002 10:34:09.107196000
Frame Number: 1
Packet Length: 42 bytes
Capture Length: 42 bytes
Since we told the analyzer to capture packets from an Ethernet interface, it is assuming that we have an Ethernet packet:
Ethernet II
Ethernet protocol specifications (IEEE 802.3) define the following rules:
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
[1] [2] [3]
0000 ff ff ff ff ff ff 00 01 02 48 52 18 08 06 00 01
Hence this part of the packet is decoded by the analyzer, as follows:
Destination: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff) Source: 00:01:02:48:52:18 (00:01:02:48:52:18) Type: ARP (0x0806) Address Resolution Protocol (request)
A list of Ethernet type codes can be found here:
IEEE Ethernet Type Codes
As you can see '0806' corresponds to ARP or Address Resolution Protocol.
Now that the analyzer knows this is an ARP packet, it decodes the remainder of the packet following the rules for the ARP protocol:
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
0000 ff ff ff ff ff ff 00 01 02 48 52 18 08 06 00 01
0010 08 00 06 04 00 01 00 01 02 48 52 18 ac 10 01 a9
0020 00 00 00 00 00 00 ac 10 01 14
Address Resolution Protocol (request)
Hardware type: Ethernet (0x0001)
Protocol type: IP (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: request (0x0001)
Sender MAC address: 00:01:02:48:52:18 (00:01:02:48:52:18)
Sender IP address: 172.16.1.169 (172.16.1.169)
Target MAC address: 00:00:00:00:00:00 (00:00:00:00:00:00)
Target IP address: 172.16.1.20 (172.16.1.20)
Notice how the analyzer (thankfully) decodes hexadecimal IP addresses contained in the packet (e.g. 0xac1001a9) into their dotted-decimal form (e.g. 172.16.1.69).