Go Back   Computer Forums > General Computing > Networking | DNS
Click Here to Login
Join Computer forums Today


Reply
 
Thread Tools Search this Thread Display Modes
 
Old 06-01-2013, 11:40 AM   #1
Baseband Member
 
palermo's Avatar
 
Join Date: Jan 2013
Location: United States
Posts: 81
Default Hex Trace Anyone?

So my homework for the weekend is to identify each byte in several packet captures. My question is: Is layer 2 always the Ethernet Header (destination MAC, source MAC, and Protocol type)?

Also, when they ask for the Application Protocol I should refer to the Source Port not the Destination Port right?

I'm getting myself confused I think because the book says the IPv4 header can be between 20-60 Bytes but I don't know how to tell what size it is going to be?

They gave us the CCNA book just as a reference not cause we're getting the certification; however, there isn't much on Packet Capture Analysis?
__________________

palermo is offline   Reply With Quote
Old 06-01-2013, 02:32 PM   #2
In Runtime
 
Join Date: Feb 2013
Location: UK
Posts: 156
Default Re: Hex Trace Anyone?

Hi palermo,

So layer 2 will essentially always be ethernet for any networks you're likely to analyse captures from. In reality though it is simply the lowest level protocol for the communication (layer 1 being physical: radio, wired, microwave, optical fibre etc. and not really important from a software perspective).

An ethernet stack always starts with 6 bytes of destination mac, and then 6 bytes of source mac, the final two bytes indicate what protocol follows. This can be any one of a (very large) list of values - but the ones you're likely to find are (given here in big-endian network order as you'd see in wireshark): 0x0800 for IPv4, 0x8100 for VLan, 0x9100 for Double-Vlan (aka QinQ) (I don't remember what IPv6 is off the top of my head...but that should be in this list too).

As for the length of the IPv4 header, its minimum fixed length of 20 bytes is the what you'll see more than 99.99% of the time. However, you can determine exactly how long the header is by looked at the second nibble (half a byte) of the first byte of the header.

Typically IPv4 packets start with 0x45 - the 4 indicating that it is IPv4 and the 5 indicating the length coefficient. The value of 20 for the standard length is computed by taking the 5 and multiplying it by 4.
Since a header is always padded to a multiple of 4 bytes this equation holds true. For example, a header of length 32 would start 0x48.

Application Protocols are conventionally determined by their source port yes. 80 = HTTP, 25 = SMTP, 161 = SNMP, 53 = DNS etc. however it is worth remembering that you can run a web server on port 12345 if you want to and it would make absolutely no difference - although there could well be technicalities from a firewall policy point of view, but theoretically it makes no difference.

Hope that helps, ordinarily I wouldn't answer homework questions on here but you appear to have done a certain degree of investigation yourself and if there is anything I believe in within the computing industry it is that knowledge should be shared at every opportunity for everyone's mutual benefit.

Best of luck,
Michael.

---------- Post added at 07:32 PM ---------- Previous post was at 07:27 PM ----------

Oh and by the way - https://wireshark.org/ for everything you'll ever need on network packet analysis
__________________

_michaelm is offline   Reply With Quote
Old 06-01-2013, 05:35 PM   #3
Baseband Member
 
palermo's Avatar
 
Join Date: Jan 2013
Location: United States
Posts: 81
Default Re: Hex Trace Anyone?

I really appreciate this, it all makes perfect sense. This stuff is getting fun, we learned how to Subnet and Supernet Friday and are learning how to VLSM next week. Thanks again.
palermo is offline   Reply With Quote
Old 06-02-2013, 01:58 PM   #4
In Runtime
 
Join Date: Feb 2013
Location: UK
Posts: 156
Default Re: Hex Trace Anyone?

No problem, glad to help.

Now you can help me - this may be a US terminology thing, but what are supernet and VLSM? By 'learned how to subnet' I assume you mean CIDR notation and the ratio of network bits to host bits?
_michaelm is offline   Reply With Quote
Old 06-02-2013, 11:08 PM   #5
Baseband Member
 
palermo's Avatar
 
Join Date: Jan 2013
Location: United States
Posts: 81
Default Re: Hex Trace Anyone?

Yes. Same thing. VLSM is Variable Length Subnet Masking - this creates different subnets within an IP range (Subnetting a Subnet); VLSM takes not only each individual LAN into account, but also the WAN links connecting them. Supernetting is the opposite of subnetting in that network bits are taken back and utilized as hosts bits.
palermo is offline   Reply With Quote
Old 06-03-2013, 02:30 PM   #6
In Runtime
 
Join Date: Feb 2013
Location: UK
Posts: 156
Default Re: Hex Trace Anyone?

Ah ok, all basically the same thing from a different perspective/use-case. Thanks
__________________

_michaelm is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off



All times are GMT -5. The time now is 07:39 AM.


Powered by vBulletin® Version 3.8.8 Beta 4
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Search Engine Friendly URLs by vBSEO 3.6.0