Hex Trace Anyone?

[techi3]

So my homework for the weekend is to identify each byte in several packet captures. My question is: Is layer 2 always the Ethernet Header (destination MAC, source MAC, and Protocol type)?

Also, when they ask for the Application Protocol I should refer to the Source Port not the Destination Port right?

I'm getting myself confused I think because the book says the IPv4 header can be between 20-60 Bytes but I don't know how to tell what size it is going to be?

They gave us the CCNA book just as a reference not cause we're getting the certification; however, there isn't much on Packet Capture Analysis?

 

[_michaelm]

Hi palermo,

So layer 2 will essentially always be ethernet for any networks you're likely to analyse captures from. In reality though it is simply the lowest level protocol for the communication (layer 1 being physical: radio, wired, microwave, optical fibre etc. and not really important from a software perspective).

An ethernet stack always starts with 6 bytes of destination mac, and then 6 bytes of source mac, the final two bytes indicate what protocol follows. This can be any one of a (very large) list of values - but the ones you're likely to find are (given here in big-endian network order as you'd see in wireshark): 0x0800 for IPv4, 0x8100 for VLan, 0x9100 for Double-Vlan (aka QinQ) (I don't remember what IPv6 is off the top of my head...but that should be in this list too).

As for the length of the IPv4 header, its minimum fixed length of 20 bytes is the what you'll see more than 99.99% of the time. However, you can determine exactly how long the header is by looked at the second nibble (half a byte) of the first byte of the header.

Typically IPv4 packets start with 0x45 - the 4 indicating that it is IPv4 and the 5 indicating the length coefficient. The value of 20 for the standard length is computed by taking the 5 and multiplying it by 4.
Since a header is always padded to a multiple of 4 bytes this equation holds true. For example, a header of length 32 would start 0x48.

Application Protocols are conventionally determined by their source port yes. 80 = HTTP, 25 = SMTP, 161 = SNMP, 53 = DNS etc. however it is worth remembering that you can run a web server on port 12345 if you want to and it would make absolutely no difference - although there could well be technicalities from a firewall policy point of view, but theoretically it makes no difference.

Hope that helps, ordinarily I wouldn't answer homework questions on here but you appear to have done a certain degree of investigation yourself and if there is anything I believe in within the computing industry it is that knowledge should be shared at every opportunity for everyone's mutual benefit.

Best of luck,
Michael.

---------- Post added at 07:32 PM ---------- Previous post was at 07:27 PM ----------

Oh and by the way - https://wireshark.org/ for everything you'll ever need on network packet analysis

 

[techi3]

I really appreciate this, it all makes perfect sense. This stuff is getting fun, we learned how to Subnet and Supernet Friday and are learning how to VLSM next week. Thanks again.

 

[_michaelm]

No problem, glad to help.

Now you can help me - this may be a US terminology thing, but what are supernet and VLSM? By 'learned how to subnet' I assume you mean CIDR notation and the ratio of network bits to host bits?

 

[techi3]

Yes. Same thing. VLSM is Variable Length Subnet Masking - this creates different subnets within an IP range (Subnetting a Subnet); VLSM takes not only each individual LAN into account, but also the WAN links connecting them. Supernetting is the opposite of subnetting in that network bits are taken back and utilized as hosts bits.

 

[_michaelm]

Ah ok, all basically the same thing from a different perspective/use-case. Thanks