WordType Designs
Driven To Distractions©
The Sound of One Hand Clapping©

A rchive Date
[ 22-01-2006 ]
Category
[ Information Technologies ]
sub-Categoy
[ Networking ]
      [http://www.mynetwatchman.com/pckidiot/chap01.htm

      Packet basics
      Chapter 1

      In this chapter you'll see packets in their raw and then decoded form. Don't worry about understanding what these packets mean (yet), just focus on the fact that packets have a well-defined structure.

      So without futher ado, let me introduce the packet:
      00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
      -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
      0000       ff ff ff ff ff ff 00 01 02 48 52 18 08 06 00 01
      0010       08 00 06 04 00 01 00 01 02 48 52 18 ac 10 01 a9
      0020       00 00 00 00 00 00 ac 10 01 14

      This is how a packet appears on the network (in bold) and how it is seen by hosts that send and receive it--just a stream of bytes. I've included column and row heading which indicate the hexadecimal byte offsets of each byte in the packet.
      Packets are often represented using hexadecimal notation with each byte having possible values of 0x00 - 0xFF (0 - 255 decimal). The location of each byte is also identifed using hexadecimal byte offsets. For example, the first byte of the packet above is at byte offset 0x0000 and the last byte is at offset 0x0029. Since 0x0029 is equal to decimal 42 we know this packet contains a total of 42 bytes.

      Though this data appears to be random and meaningless, it is anything but. The beauty of protocols is by their very definition there are stringent rules that define EXACTLY what each byte means and there is absolutely no deviation from these rules (except when the protocol has been mis-implemented).

      Protocol analyzers capture raw packets from the network, and apply the well-known protocol rules to decode packets into a more human-readable form.

      Here's a decoded version of the above packet:

      Frame 1 (42 on wire, 42 captured)
      Arrival Time: Apr 9, 2002 10:34:09.107196000
      Frame Number: 1
      Packet Length: 42 bytes
      Capture Length: 42 bytes

      Ethernet II
      Destination: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)
      Source: 00:01:02:48:52:18 (00:01:02:48:52:18)
      Type: ARP (0x0806)

      Address Resolution Protocol (request)
      Hardware type: Ethernet (0x0001)
      Protocol type: IP (0x0800)
      Hardware size: 6
      Protocol size: 4
      Opcode: request (0x0001)
      Sender MAC address: 00:01:02:48:52:18 (00:01:02:48:52:18)
      Sender IP address: 172.16.1.169 (172.16.1.169)
      Target MAC address: 00:00:00:00:00:00 (00:00:00:00:00:00)
      Target IP address: 172.16.1.20 (172.16.1.20)

      This packet is an ARP (Address Resolution Protocol) request, made by a host with an IP address of 172.16.1.169 which is attempting to identify the Ethernet address held by a host with an IP address of 172.16.1.20. We'll examine ARP in further detail later on.

      Let's go through the decoded packet section by section so that you can see how the analyzer is making its decisions.
      First the analyzer displays a summary of the packet. Its important to understand that none of this data is actually contained in the packet itself, rather this is information the analyzer is generating.

      Frame 1 (42 on wire, 42 captured)
      Arrival Time: Apr 9, 2002 10:34:09.107196000
      Frame Number: 1
      Packet Length: 42 bytes
      Capture Length: 42 bytes

      Since we told the analyzer to capture packets from an Ethernet interface, it is assuming that we have an Ethernet packet:

      Ethernet II
      Ethernet protocol specifications (IEEE 802.3) define the following rules:
      • Bytes 00-05 identify the Destination Ethernet address
      • Bytes 06-0B identify the Source Ethernet address
      • Bytes 0C-0D identify the Ethernet type

      00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
      -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
      [1] [2] [3]
      0000       ff ff ff ff ff ff 00 01 02 48 52 18 08 06 00 01

      Hence this part of the packet is decoded by the analyzer, as follows:

      Destination: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)
      Source: 00:01:02:48:52:18 (00:01:02:48:52:18)
      Type: ARP (0x0806)
      Address Resolution Protocol (request)


      A list of Ethernet type codes can be found here: IEEE Ethernet Type Codes
      As you can see '0806' corresponds to ARP or Address Resolution Protocol.
      Now that the analyzer knows this is an ARP packet, it decodes the remainder of the packet following the rules for the ARP protocol:

      00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
      -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
      0000 ff ff ff ff ff ff 00 01 02 48 52 18 08 06       00 01
      0010 08 00 06 04 00 01 00 01 02 48 52 18 ac 10 01 a9
      0020 00 00 00 00 00 00 ac 10 01 14


      Address Resolution Protocol (request)
      Hardware type: Ethernet (0x0001)
      Protocol type: IP (0x0800)
      Hardware size: 6
      Protocol size: 4
      Opcode: request (0x0001)
      Sender MAC address: 00:01:02:48:52:18 (00:01:02:48:52:18)
      Sender IP address: 172.16.1.169 (172.16.1.169)
      Target MAC address: 00:00:00:00:00:00 (00:00:00:00:00:00)
      Target IP address: 172.16.1.20 (172.16.1.20)


      Notice how the analyzer (thankfully) decodes hexadecimal IP addresses contained in the packet (e.g. 0xac1001a9) into their dotted-decimal form (e.g. 172.16.1.69). ]
      Cross-Indexed:

      New document Icon


Some pages may require Adobe Acrobat Reader


Copyright and Fair Use Information: The contents of this web site is protected by international copyright laws and may not be reproduced in any form or manner whatsoever, if for the purpose of resale or solicitation of a donation. The essays included here, may be reproduced only if: 1)They are not altered in any way; 2) reproductions must be accompanied by this copyright page ; and 3) it is given freely and without charge.
Fair use: The fair use of copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified in above sections, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright. In determining whether the use made of a work in any particular case is fair use the factors to be considered include : (1) the purpose and character of the use, including whether the use is of a commercial nature or is for nonprofit educational purposes; (2) the nature of the copyrighted work; (3) the amount and substantiality of the portion used in relation to the copyrighted work as a whole, and; (4) the effect of the use upon the potential market value of the copyrighted work.
Home | About Narrative? |Contact
Copyright © 2025. All Rights Reserved
HAG122125 (1998 -2026)