Solved

How do I reassemble packets from a packet sniffer?

Posted on 2008-10-15
4
1,492 Views
Last Modified: 2013-11-29
I have been trying to understand information from Wireshark (as a hobby on my own network!) and was wondering how I can reassemble the packets into something I can understand.  Is there another program that does this?  (Preferably freeware or trial-version but I'm not against buying it, depending on the cost)  I would eventually like to be able to sort out different types of traffic (e.g. instant messaging, web site traffic, e-mail, etc.) and understand what the user is looking at.  I am a definite newbie with Wireshark and any help is greatly appreciated.  Again, this is strictly for my own use on my own network so I'm not doing anything nefarious!!!  :)
0
Comment
Question by:alg205
  • 2
4 Comments
 
LVL 39

Assisted Solution

by:Roger Baklund
Roger Baklund earned 160 total points
ID: 22725133
Right-click a packet, select 'Follow TCP stream'. This will show the communication, but there is no explanation of the different protocols.
0
 

Author Comment

by:alg205
ID: 22725428
When I follow the TCP stream, it looks like garbage.  I've tried the different selections at the bottom (ascii, etc.) and I don't understand it.  Is there some type of program that will decode this into something I might be able to understand?  Thank you for your time and patience!!!
0
 
LVL 39

Assisted Solution

by:Roger Baklund
Roger Baklund earned 160 total points
ID: 22725759
What you see is the "raw" data for the communication.

TCP is a low level protocol, used by very many other protocols. It hard to know what kind of stream you are looking at.

Some protocols like http and smtp (web&email) use plain text, and you can decode it easily. Some files, like images, will be binary and look like garbage, as you say. Some http connections can use compression, and you will see garbage, https-connections are encrypted, and you will see garbage.

Many protocols are binary, that means they dont use plain text/ascii at all, but some other protocol-dependant codes.
0
 
LVL 1

Accepted Solution

by:
Abh4IT earned 90 total points
ID: 22729546
Hi,

Behind the scenes Wireshark uses this APIS called WinPcap for doing the packet handing. Basically as a packet arrives at a NIC, we have a recievetime and this is stamped in addition to packet information. This is later used to analyze the packet. ACP is the standard file format used for logging and  offline analsysi for network packets. Packet analysis involves basically decoding the packet get the Ethernet or IEEE 802 packet out and then involves checking on Ethertype (2 Bytes) to check which protocol . The Ethertype definitins exist there in IEEE website for all defined packet types. The next step involved picking the data and parsing it for the specific protocol involved.

WinPcap is an API you can use - I guess its open source for developing such software. Wireshark does the logging and you need to use packet analyzers to perform more detailed analysis. Not many of these tools are free. If you want to focus on certain type of traffic you could develop an analysis tool using WinPcap. Search for Network Analyzers .in net for example..http://www.monitortools.com/traffic/

Hope this Helps.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

With healthcare moving into the digital age with things like Healthcare.gov, the digitization of patient records and video conferencing with patients, data has a much greater chance of being exposed than ever before.
How do we balance the user experience (UX) with reasonable security measures? It can be done, if you keep these fundamentals in mind.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

806 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question