Solved

How do I reassemble packets from a packet sniffer?

Posted on 2008-10-15
4
1,488 Views
Last Modified: 2013-11-29
I have been trying to understand information from Wireshark (as a hobby on my own network!) and was wondering how I can reassemble the packets into something I can understand.  Is there another program that does this?  (Preferably freeware or trial-version but I'm not against buying it, depending on the cost)  I would eventually like to be able to sort out different types of traffic (e.g. instant messaging, web site traffic, e-mail, etc.) and understand what the user is looking at.  I am a definite newbie with Wireshark and any help is greatly appreciated.  Again, this is strictly for my own use on my own network so I'm not doing anything nefarious!!!  :)
0
Comment
Question by:alg205
  • 2
4 Comments
 
LVL 39

Assisted Solution

by:Roger Baklund
Roger Baklund earned 160 total points
ID: 22725133
Right-click a packet, select 'Follow TCP stream'. This will show the communication, but there is no explanation of the different protocols.
0
 

Author Comment

by:alg205
ID: 22725428
When I follow the TCP stream, it looks like garbage.  I've tried the different selections at the bottom (ascii, etc.) and I don't understand it.  Is there some type of program that will decode this into something I might be able to understand?  Thank you for your time and patience!!!
0
 
LVL 39

Assisted Solution

by:Roger Baklund
Roger Baklund earned 160 total points
ID: 22725759
What you see is the "raw" data for the communication.

TCP is a low level protocol, used by very many other protocols. It hard to know what kind of stream you are looking at.

Some protocols like http and smtp (web&email) use plain text, and you can decode it easily. Some files, like images, will be binary and look like garbage, as you say. Some http connections can use compression, and you will see garbage, https-connections are encrypted, and you will see garbage.

Many protocols are binary, that means they dont use plain text/ascii at all, but some other protocol-dependant codes.
0
 
LVL 1

Accepted Solution

by:
Abh4IT earned 90 total points
ID: 22729546
Hi,

Behind the scenes Wireshark uses this APIS called WinPcap for doing the packet handing. Basically as a packet arrives at a NIC, we have a recievetime and this is stamped in addition to packet information. This is later used to analyze the packet. ACP is the standard file format used for logging and  offline analsysi for network packets. Packet analysis involves basically decoding the packet get the Ethernet or IEEE 802 packet out and then involves checking on Ethertype (2 Bytes) to check which protocol . The Ethertype definitins exist there in IEEE website for all defined packet types. The next step involved picking the data and parsing it for the specific protocol involved.

WinPcap is an API you can use - I guess its open source for developing such software. Wireshark does the logging and you need to use packet analyzers to perform more detailed analysis. Not many of these tools are free. If you want to focus on certain type of traffic you could develop an analysis tool using WinPcap. Search for Network Analyzers .in net for example..http://www.monitortools.com/traffic/

Hope this Helps.
0

Featured Post

Network it in WD Red

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
An overview of HIPAA and guidance on this topic that Experts Exchange members can offer.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

947 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now