?
Solved

How do I reassemble packets from a packet sniffer?

Posted on 2008-10-15
4
Medium Priority
?
1,506 Views
Last Modified: 2013-11-29
I have been trying to understand information from Wireshark (as a hobby on my own network!) and was wondering how I can reassemble the packets into something I can understand.  Is there another program that does this?  (Preferably freeware or trial-version but I'm not against buying it, depending on the cost)  I would eventually like to be able to sort out different types of traffic (e.g. instant messaging, web site traffic, e-mail, etc.) and understand what the user is looking at.  I am a definite newbie with Wireshark and any help is greatly appreciated.  Again, this is strictly for my own use on my own network so I'm not doing anything nefarious!!!  :)
0
Comment
Question by:alg205
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 39

Assisted Solution

by:Roger Baklund
Roger Baklund earned 480 total points
ID: 22725133
Right-click a packet, select 'Follow TCP stream'. This will show the communication, but there is no explanation of the different protocols.
0
 

Author Comment

by:alg205
ID: 22725428
When I follow the TCP stream, it looks like garbage.  I've tried the different selections at the bottom (ascii, etc.) and I don't understand it.  Is there some type of program that will decode this into something I might be able to understand?  Thank you for your time and patience!!!
0
 
LVL 39

Assisted Solution

by:Roger Baklund
Roger Baklund earned 480 total points
ID: 22725759
What you see is the "raw" data for the communication.

TCP is a low level protocol, used by very many other protocols. It hard to know what kind of stream you are looking at.

Some protocols like http and smtp (web&email) use plain text, and you can decode it easily. Some files, like images, will be binary and look like garbage, as you say. Some http connections can use compression, and you will see garbage, https-connections are encrypted, and you will see garbage.

Many protocols are binary, that means they dont use plain text/ascii at all, but some other protocol-dependant codes.
0
 
LVL 1

Accepted Solution

by:
Abh4IT earned 270 total points
ID: 22729546
Hi,

Behind the scenes Wireshark uses this APIS called WinPcap for doing the packet handing. Basically as a packet arrives at a NIC, we have a recievetime and this is stamped in addition to packet information. This is later used to analyze the packet. ACP is the standard file format used for logging and  offline analsysi for network packets. Packet analysis involves basically decoding the packet get the Ethernet or IEEE 802 packet out and then involves checking on Ethertype (2 Bytes) to check which protocol . The Ethertype definitins exist there in IEEE website for all defined packet types. The next step involved picking the data and parsing it for the specific protocol involved.

WinPcap is an API you can use - I guess its open source for developing such software. Wireshark does the logging and you need to use packet analyzers to perform more detailed analysis. Not many of these tools are free. If you want to focus on certain type of traffic you could develop an analysis tool using WinPcap. Search for Network Analyzers .in net for example..http://www.monitortools.com/traffic/

Hope this Helps.
0

Featured Post

Turn your laptop into a mobile console!

The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Check out the latest tech news, community articles, and expert highlights in August's newsletter.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question