Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

How do I reassemble packets from a packet sniffer?

Posted on 2008-10-15
4
Medium Priority
?
1,512 Views
Last Modified: 2013-11-29
I have been trying to understand information from Wireshark (as a hobby on my own network!) and was wondering how I can reassemble the packets into something I can understand.  Is there another program that does this?  (Preferably freeware or trial-version but I'm not against buying it, depending on the cost)  I would eventually like to be able to sort out different types of traffic (e.g. instant messaging, web site traffic, e-mail, etc.) and understand what the user is looking at.  I am a definite newbie with Wireshark and any help is greatly appreciated.  Again, this is strictly for my own use on my own network so I'm not doing anything nefarious!!!  :)
0
Comment
Question by:alg205
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 39

Assisted Solution

by:Roger Baklund
Roger Baklund earned 480 total points
ID: 22725133
Right-click a packet, select 'Follow TCP stream'. This will show the communication, but there is no explanation of the different protocols.
0
 

Author Comment

by:alg205
ID: 22725428
When I follow the TCP stream, it looks like garbage.  I've tried the different selections at the bottom (ascii, etc.) and I don't understand it.  Is there some type of program that will decode this into something I might be able to understand?  Thank you for your time and patience!!!
0
 
LVL 39

Assisted Solution

by:Roger Baklund
Roger Baklund earned 480 total points
ID: 22725759
What you see is the "raw" data for the communication.

TCP is a low level protocol, used by very many other protocols. It hard to know what kind of stream you are looking at.

Some protocols like http and smtp (web&email) use plain text, and you can decode it easily. Some files, like images, will be binary and look like garbage, as you say. Some http connections can use compression, and you will see garbage, https-connections are encrypted, and you will see garbage.

Many protocols are binary, that means they dont use plain text/ascii at all, but some other protocol-dependant codes.
0
 
LVL 1

Accepted Solution

by:
Abh4IT earned 270 total points
ID: 22729546
Hi,

Behind the scenes Wireshark uses this APIS called WinPcap for doing the packet handing. Basically as a packet arrives at a NIC, we have a recievetime and this is stamped in addition to packet information. This is later used to analyze the packet. ACP is the standard file format used for logging and  offline analsysi for network packets. Packet analysis involves basically decoding the packet get the Ethernet or IEEE 802 packet out and then involves checking on Ethertype (2 Bytes) to check which protocol . The Ethertype definitins exist there in IEEE website for all defined packet types. The next step involved picking the data and parsing it for the specific protocol involved.

WinPcap is an API you can use - I guess its open source for developing such software. Wireshark does the logging and you need to use packet analyzers to perform more detailed analysis. Not many of these tools are free. If you want to focus on certain type of traffic you could develop an analysis tool using WinPcap. Search for Network Analyzers .in net for example..http://www.monitortools.com/traffic/

Hope this Helps.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
How does someone stay on the right and legal side of the hacking world?
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question