Solved

How do I reassemble packets from a packet sniffer?

Posted on 2008-10-15
4
1,495 Views
Last Modified: 2013-11-29
I have been trying to understand information from Wireshark (as a hobby on my own network!) and was wondering how I can reassemble the packets into something I can understand.  Is there another program that does this?  (Preferably freeware or trial-version but I'm not against buying it, depending on the cost)  I would eventually like to be able to sort out different types of traffic (e.g. instant messaging, web site traffic, e-mail, etc.) and understand what the user is looking at.  I am a definite newbie with Wireshark and any help is greatly appreciated.  Again, this is strictly for my own use on my own network so I'm not doing anything nefarious!!!  :)
0
Comment
Question by:alg205
  • 2
4 Comments
 
LVL 39

Assisted Solution

by:Roger Baklund
Roger Baklund earned 160 total points
ID: 22725133
Right-click a packet, select 'Follow TCP stream'. This will show the communication, but there is no explanation of the different protocols.
0
 

Author Comment

by:alg205
ID: 22725428
When I follow the TCP stream, it looks like garbage.  I've tried the different selections at the bottom (ascii, etc.) and I don't understand it.  Is there some type of program that will decode this into something I might be able to understand?  Thank you for your time and patience!!!
0
 
LVL 39

Assisted Solution

by:Roger Baklund
Roger Baklund earned 160 total points
ID: 22725759
What you see is the "raw" data for the communication.

TCP is a low level protocol, used by very many other protocols. It hard to know what kind of stream you are looking at.

Some protocols like http and smtp (web&email) use plain text, and you can decode it easily. Some files, like images, will be binary and look like garbage, as you say. Some http connections can use compression, and you will see garbage, https-connections are encrypted, and you will see garbage.

Many protocols are binary, that means they dont use plain text/ascii at all, but some other protocol-dependant codes.
0
 
LVL 1

Accepted Solution

by:
Abh4IT earned 90 total points
ID: 22729546
Hi,

Behind the scenes Wireshark uses this APIS called WinPcap for doing the packet handing. Basically as a packet arrives at a NIC, we have a recievetime and this is stamped in addition to packet information. This is later used to analyze the packet. ACP is the standard file format used for logging and  offline analsysi for network packets. Packet analysis involves basically decoding the packet get the Ethernet or IEEE 802 packet out and then involves checking on Ethertype (2 Bytes) to check which protocol . The Ethertype definitins exist there in IEEE website for all defined packet types. The next step involved picking the data and parsing it for the specific protocol involved.

WinPcap is an API you can use - I guess its open source for developing such software. Wireshark does the logging and you need to use packet analyzers to perform more detailed analysis. Not many of these tools are free. If you want to focus on certain type of traffic you could develop an analysis tool using WinPcap. Search for Network Analyzers .in net for example..http://www.monitortools.com/traffic/

Hope this Helps.
0

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The related questions "How do I recover the passwords for my Q-See DVR" and "How can I reset my Q-See DVR to eliminate a password" are seen several times a week.  Here we discuss the grim reality of the situation.
Ransomware is a malware that is again in the list of security  concerns. Not only for companies, but also for Government security and  even at personal use. IT departments should be aware and have the right  knowledge to how to fight it.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question