10101: Introduction to Network Monitor
By: TheAncientDedicated to my beloved and dearly missed girlfriend, may your packets always be acknowledged....
It's Saturday Night, and it's time fooooooooooooor:
Introduction to Network Monitor!!!
In this text I am going to give you a short intro to Network Monitor, a limited version of the "Bloodhound" Sniffer found in MS SMS. NM comes with WinNT server 4.0 for "free". Limited version means in this case that you can only sniff traffic to and from your own Server, plus broadcasts. You really should get the full version, especially for one particular feature: The ability to resubmit sniffed packets to the network....
This text assumes that you are at least familiar with NT, and that you have successfully installed NM. If you are already wondering what the hell I am talking about, RTFM and get a clue, then buy a vowel.
OK then. When you fire up NM, you see the Capture Window (Station Stats). Before you start capturing, go to the Capture menu, choose "Networks" and choose which network to monitor. That is, if you have a Modem installed, that is one network, if you have two NIC's installed, that is an additional 2 networks. You choose what network to monitor by the MAC address of the adapter connected to it.
Having chosen your network, press play on tape, to be nostalgic. In other words click on the button that looks like a "Play" button to start recording.
Check your packet count in the "Captured Statistics" frame, don't let the Frame# count get too high, or you will just get swamped by info.
When you are done recording/capturing, press the "stop" button with the glasses on it to stop capturing and start examining the packets.
To actually get some value out of this you need to have some basic (to say the least) knowledge of protocols and network technologies such as ethernet.
Lets look at some basic stuff like the tree way handshake to establish an TCP session:
Frame 1:
15 26.632 0001903A5480 4C2853000101 TCP ....S., len: 4, seq: 4539267-4539270, ack: 0, win: 8192, src: 1075 dst: 80 Training_1 207.226.241.14 IP
FRAME: Base frame properties
FRAME: Time of capture = Apr 24, 1997 21:29:53.260
FRAME: Time delta from previous physical frame: 0 milliseconds
FRAME: Frame number: 15
FRAME: Total frame length: 58 bytes
FRAME: Capture frame length: 58 bytes
FRAME: Frame data: Number of data bytes remaining = 58 (0x003A)
ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol
ETHERNET: Destination address : 4C2853000101
ETHERNET: .......0 = Individual address
ETHERNET: ......0. = Universally administered address
ETHERNET: Source address : 0001903A5480
ETHERNET: .......0 = No routing information present
ETHERNET: ......0. = Universally administered address
ETHERNET: Frame Length : 58 (0x003A)
ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol)
ETHERNET: Ethernet Data: Number of data bytes remaining = 44 (0x002C)
IP: ID = 0xDB04; Proto = TCP; Len: 44
IP: Version = 4 (0x4)
IP: Header Length = 20 (0x14)
IP: Service Type = 0 (0x0)
IP: Precedence = Routine
IP: ...0.... = Normal Delay
IP: ....0... = Normal Throughput
IP: .....0.. = Normal Reliability
IP: Total Length = 44 (0x2C)
IP: Identification = 56068 (0xDB04)
IP: Flags Summary = 2 (0x2)
IP: .......0 = Last fragment in datagram
IP: ......1. = Cannot fragment datagram
IP: Fragment Offset = 0 (0x0) bytes
IP: Time to Live = 128 (0x80)
IP: Protocol = TCP - Transmission Control
IP: Checksum = 0x00EC
IP: Source Address = 192.71.157.162
IP: Destination Address = 207.226.241.14
IP: Data: Number of data bytes remaining = 24 (0x0018)
TCP: ....S., len: 4, seq: 4539267-4539270, ack: 0, win: 8192, src: 1075 dst: 80
TCP: Source Port = 0x0433
TCP: Destination Port = Hypertext Transfer Protocol
TCP: Sequence Number = 4539267 (0x454383)
TCP: Acknowledgement Number = 0 (0x0)
TCP: Data Offset = 24 (0x18)
TCP: Reserved = 0 (0x0000)
TCP: Flags = 0x02 : ....S.
TCP: ..0..... = No urgent data
TCP: ...0.... = Acknowledgement field not significant
TCP: ....0... = No Push function
TCP: .....0.. = No Reset
TCP: ......1. = Synchronize sequence numbers
TCP: .......0 = No Fin
TCP: Window = 8192 (0x2000)
TCP: Checksum = 0x1100
TCP: Urgent Pointer = 0 (0x0)
TCP: Options
TCP: Option Kind (Maximum Segment Size) = 2 (0x2)
TCP: Option Length = 4 (0x4)
TCP: Option Value = 1460 (0x5B4)
00000: 4C 28 53 00 01 01 00 01 90 3A 54 80 08 00 45 00 L(S......:T...E.
00010: 00 2C DB 04 40 00 80 06 00 EC C0 47 9D A2 CF E2 .,..@......G....
00020: F1 0E 04 33 00 50 00 45 43 83 00 00 00 00 60 02 ...3.P.EC.....`.
00030: 20 00 11 00 00 00 02 04 05 B4 .........
Note the Frameproperties, the time & date of capture could come in handy, and also here you can see the length of the frame. At the IP level we can find things like the source and destination IP address, TTL, protocol above (TCP is this case) and the IP version number.
The TCP level gives us information about the source and destination port, we can here see that we are making an connection to the HTTP port, port 80, from port 1075.
Frame 2:
16 26.922 4C2853000101 0001903A5480 TCP .A..S., len: 4, seq:1022017429-1022017432, ack: 4539268, win:31744, src: 80 dst: 1075 207.226.241.14 Training_1 IP
FRAME: Base frame properties
FRAME: Time of capture = Apr 24, 1997 21:29:53.550
FRAME: Time delta from previous physical frame: 290 milliseconds
FRAME: Frame number: 16
FRAME: Total frame length: 58 bytes
FRAME: Capture frame length: 58 bytes
FRAME: Frame data: Number of data bytes remaining = 58 (0x003A)
ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol
ETHERNET: Destination address : 0001903A5480
ETHERNET: .......0 = Individual address
ETHERNET: ......0. = Universally administered address
ETHERNET: Source address : 4C2853000101
ETHERNET: .......0 = No routing information present
ETHERNET: ......0. = Universally administered address
ETHERNET: Frame Length : 58 (0x003A)
ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol)
ETHERNET: Ethernet Data: Number of data bytes remaining = 44 (0x002C)
IP: ID = 0x2A17; Proto = TCP; Len: 44
IP: Version = 4 (0x4)
IP: Header Length = 20 (0x14)
IP: Service Type = 0 (0x0)
IP: Precedence = Routine
IP: ...0.... = Normal Delay
IP: ....0... = Normal Throughput
IP: .....0.. = Normal Reliability
IP: Total Length = 44 (0x2C)
IP: Identification = 10775 (0x2A17)
IP: Flags Summary = 0 (0x0)
IP: .......0 = Last fragment in datagram
IP: ......0. = May fragment datagram if necessary
IP: Fragment Offset = 0 (0x0) bytes
IP: Time to Live = 55 (0x37)
IP: Protocol = TCP - Transmission Control
IP: Checksum = 0x3ADA
IP: Source Address = 207.226.241.14
IP: Destination Address = 192.71.157.162
IP: Data: Number of data bytes remaining = 24 (0x0018)
TCP: .A..S., len: 4, seq:1022017429-1022017432, ack: 4539268, win:31744, src: 80 dst: 1075
TCP: Source Port = Hypertext Transfer Protocol
TCP: Destination Port = 0x0433
TCP: Sequence Number = 1022017429 (0x3CEABF95)
TCP: Acknowledgement Number = 4539268 (0x454384)
TCP: Data Offset = 24 (0x18)
TCP: Reserved = 0 (0x0000)
TCP: Flags = 0x12 : .A..S.
TCP: ..0..... = No urgent data
TCP: ...1.... = Acknowledgement field significant
TCP: ....0... = No Push function
TCP: .....0.. = No Reset
TCP: ......1. = Synchronize sequence numbers
TCP: .......0 = No Fin
TCP: Window = 31744 (0x7C00)
TCP: Checksum = 0xB86E
TCP: Urgent Pointer = 0 (0x0)
TCP: Options
TCP: Option Kind (Maximum Segment Size) = 2 (0x2)
TCP: Option Length = 4 (0x4)
TCP: Option Value = 1460 (0x5B4)
00000: 00 01 90 3A 54 80 4C 28 53 00 01 01 08 00 45 00 ...:T.L(S.....E.
00010: 00 2C 2A 17 00 00 37 06 3A DA CF E2 F1 0E C0 47 .,*...7.:......G
00020: 9D A2 00 50 04 33 3C EA BF 95 00 45 43 84 60 12 ...P.3<....EC.`.
00030: 7C 00 B8 6E 00 00 02 04 05 B4 |..n......
This is the response from the server, this time it is FROM port 80 to port 1075 otherwise it is not very different from frame 1. Notice however that the ack field is now significant which it was not in frame 1.
Frame 3:
17 26.922 0001903A5480 4C2853000101 TCP .A...., len: 0, seq: 4539268-4539268, ack:1022017430, win: 8760, src: 1075 dst: 80 Training_1 207.226.241.14 IP
FRAME: Base frame properties
FRAME: Time of capture = Apr 24, 1997 21:29:53.550
FRAME: Time delta from previous physical frame: 0 milliseconds
FRAME: Frame number: 17
FRAME: Total frame length: 54 bytes
FRAME: Capture frame length: 54 bytes
FRAME: Frame data: Number of data bytes remaining = 54 (0x0036)
ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol
ETHERNET: Destination address : 4C2853000101
ETHERNET: .......0 = Individual address
ETHERNET: ......0. = Universally administered address
ETHERNET: Source address : 0001903A5480
ETHERNET: .......0 = No routing information present
ETHERNET: ......0. = Universally administered address
ETHERNET: Frame Length : 54 (0x0036)
ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol)
ETHERNET: Ethernet Data: Number of data bytes remaining = 40 (0x0028)
IP: ID = 0xDC04; Proto = TCP; Len: 40
IP: Version = 4 (0x4)
IP: Header Length = 20 (0x14)
IP: Service Type = 0 (0x0)
IP: Precedence = Routine
IP: ...0.... = Normal Delay
IP: ....0... = Normal Throughput
IP: .....0.. = Normal Reliability
IP: Total Length = 40 (0x28)
IP: Identification = 56324 (0xDC04)
IP: Flags Summary = 2 (0x2)
IP: .......0 = Last fragment in datagram
IP: ......1. = Cannot fragment datagram
IP: Fragment Offset = 0 (0x0) bytes
IP: Time to Live = 128 (0x80)
IP: Protocol = TCP - Transmission Control
IP: Checksum = 0xFFEF
IP: Source Address = 192.71.157.162
IP: Destination Address = 207.226.241.14
IP: Data: Number of data bytes remaining = 20 (0x0014)
TCP: .A...., len: 0, seq: 4539268-4539268, ack:1022017430, win: 8760, src: 1075 dst: 80
TCP: Source Port = 0x0433
TCP: Destination Port = Hypertext Transfer Protocol
TCP: Sequence Number = 4539268 (0x454384)
TCP: Acknowledgement Number = 1022017430 (0x3CEABF96)
TCP: Data Offset = 20 (0x14)
TCP: Reserved = 0 (0x0000)
TCP: Flags = 0x10 : .A....
TCP: ..0..... = No urgent data
TCP: ...1.... = Acknowledgement field significant
TCP: ....0... = No Push function
TCP: .....0.. = No Reset
TCP: ......0. = No Synchronize
TCP: .......0 = No Fin
TCP: Window = 8760 (0x2238)
TCP: Checksum = 0x29F4
TCP: Urgent Pointer = 0 (0x0)
00000: 4C 28 53 00 01 01 00 01 90 3A 54 80 08 00 45 00 L(S......:T...E.
00010: 00 28 DC 04 40 00 80 06 FF EF C0 47 9D A2 CF E2 .(..@......G....
00020: F1 0E 04 33 00 50 00 45 43 84 3C EA BF 96 50 10 ...3.P.EC.<...P.
00030: 22 38 29 F4 00 00 "8)...
This is basically the ack from the client, and the last packet in the sequence. A session is now established, and we might start transferring commands and data. A typical thing to follow here would be this next frame I am going to show you, a standard HTTP GET request.
Frame 4:
18 26.942 0001903A5480 4C2853000101 TCP .AP..., len: 375, seq: 4539268-4539642, ack:1022017430, win: 8760, src: 1075 dst: 80 Training_1 207.226.241.14 IP
FRAME: Base frame properties
FRAME: Time of capture = Apr 24, 1997 21:29:53.570
FRAME: Time delta from previous physical frame: 20 milliseconds
FRAME: Frame number: 18
FRAME: Total frame length: 429 bytes
FRAME: Capture frame length: 429 bytes
FRAME: Frame data: Number of data bytes remaining = 429 (0x01AD)
ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol
ETHERNET: Destination address : 4C2853000101
ETHERNET: .......0 = Individual address
ETHERNET: ......0. = Universally administered address
ETHERNET: Source address : 0001903A5480
ETHERNET: .......0 = No routing information present
ETHERNET: ......0. = Universally administered address
ETHERNET: Frame Length : 429 (0x01AD)
ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol)
ETHERNET: Ethernet Data: Number of data bytes remaining = 415 (0x019F)
IP: ID = 0xDD04; Proto = TCP; Len: 415
IP: Version = 4 (0x4)
IP: Header Length = 20 (0x14)
IP: Service Type = 0 (0x0)
IP: Precedence = Routine
IP: ...0.... = Normal Delay
IP: ....0... = Normal Throughput
IP: .....0.. = Normal Reliability
IP: Total Length = 415 (0x19F)
IP: Identification = 56580 (0xDD04)
IP: Flags Summary = 2 (0x2)
IP: .......0 = Last fragment in datagram
IP: ......1. = Cannot fragment datagram
IP: Fragment Offset = 0 (0x0) bytes
IP: Time to Live = 128 (0x80)
IP: Protocol = TCP - Transmission Control
IP: Checksum = 0xFD78
IP: Source Address = 192.71.157.162
IP: Destination Address = 207.226.241.14
IP: Data: Number of data bytes remaining = 395 (0x018B)
TCP: .AP..., len: 375, seq: 4539268-4539642, ack:1022017430, win: 8760, src: 1075 dst: 80
TCP: Source Port = 0x0433
TCP: Destination Port = Hypertext Transfer Protocol
TCP: Sequence Number = 4539268 (0x454384)
TCP: Acknowledgement Number = 1022017430 (0x3CEABF96)
TCP: Data Offset = 20 (0x14)
TCP: Reserved = 0 (0x0000)
TCP: Flags = 0x18 : .AP...
TCP: ..0..... = No urgent data
TCP: ...1.... = Acknowledgement field significant
TCP: ....1... = Push function
TCP: .....0.. = No Reset
TCP: ......0. = No Synchronize
TCP: .......0 = No Fin
TCP: Window = 8760 (0x2238)
TCP: Checksum = 0x28B9
TCP: Urgent Pointer = 0 (0x0)
TCP: Data: Number of data bytes remaining = 375 (0x0177)
00000: 4C 28 53 00 01 01 00 01 90 3A 54 80 08 00 45 00 L(S......:T...E.
00010: 01 9F DD 04 40 00 80 06 FD 78 C0 47 9D A2 CF E2 ....@....x.G....
00020: F1 0E 04 33 00 50 00 45 43 84 3C EA BF 96 50 18 ...3.P.EC.<...P.
00030: 22 38 28 B9 00 00 47 45 54 20 2F 76 61 2F 64 69 "8(...GET /va/di
00040: 67 69 74 61 6C 64 61 72 6B 6E 65 73 73 2F 20 48 gitaldarkness/ H
00050: 54 54 50 2F 31 2E 30 0D 0A 41 63 63 65 70 74 3A TTP/1.0..Accept:
00060: 20 69 6D 61 67 65 2F 67 69 66 2C 20 69 6D 61 67 image/gif, imag
00070: 65 2F 78 2D 78 62 69 74 6D 61 70 2C 20 69 6D 61 e/x-xbitmap, ima
00080: 67 65 2F 6A 70 65 67 2C 20 69 6D 61 67 65 2F 70 ge/jpeg, image/p
00090: 6A 70 65 67 2C 20 61 70 70 6C 69 63 61 74 69 6F jpeg, applicatio
000A0: 6E 2F 6D 73 77 6F 72 64 2C 20 2A 2F 2A 0D 0A 52 n/msword, */*..R
000B0: 65 66 65 72 65 72 3A 20 68 74 74 70 3A 2F 2F 66 eferer: http://f
000C0: 61 72 61 68 62 61 6B 68 73 68 69 61 6E 2E 63 6F arahbakhshian.co
000D0: 6D 2F 6F 6D 6E 69 2F 6F 6D 6E 69 2E 68 74 6D 6C m/omni/omni.html
000E0: 0D 0A 41 63 63 65 70 74 2D 4C 61 6E 67 75 61 67 ..Accept-Languag
000F0: 65 3A 20 73 76 2C 20 65 6E 0D 0A 55 41 2D 70 69 e: sv, en..UA-pi
00100: 78 65 6C 73 3A 20 31 30 32 34 78 37 36 38 0D 0A xels: 1024x768..
00110: 55 41 2D 63 6F 6C 6F 72 3A 20 63 6F 6C 6F 72 38 UA-color: color8
00120: 0D 0A 55 41 2D 4F 53 3A 20 57 69 6E 64 6F 77 73 ..UA-OS: Windows
00130: 20 4E 54 0D 0A 55 41 2D 43 50 55 3A 20 78 38 36 NT..UA-CPU: x86
00140: 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F ..User-Agent: Mo
00150: 7A 69 6C 6C 61 2F 32 2E 30 20 28 63 6F 6D 70 61 zilla/2.0 (compa
00160: 74 69 62 6C 65 3B 20 4D 53 49 45 20 33 2E 30 42 tible; MSIE 3.0B
00170: 3B 20 57 69 6E 33 32 29 0D 0A 48 6F 73 74 3A 20 ; Win32)..Host:
00180: 77 77 77 2E 61 6E 67 65 6C 66 69 72 65 2E 63 6F www.angelfire.co
00190: 6D 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B m..Connection: K
001A0: 65 65 70 2D 41 6C 69 76 65 0D 0A 0D 0A eep-Alive....
Note that you can, in addition to the general header information, also read the data. Which is very easy in this case because we get it all in clear text. I am not going to explain the workings of the HTTP protocol for you, you can very well find that out on your own you lazy asses!
That is all I am going to say this time, have fun!
It's Saturday Night, and it's time fooooooooooooor:
Introduction to Network Monitor!!!
In this text I am going to give you a short intro to Network Monitor, a limited version of the "Bloodhound" Sniffer found in MS SMS. NM comes with WinNT server 4.0 for "free". Limited version means in this case that you can only sniff traffic to and from your own Server, plus broadcasts. You really should get the full version, especially for one particular feature: The ability to resubmit sniffed packets to the network....
This text assumes that you are at least familiar with NT, and that you have successfully installed NM. If you are already wondering what the hell I am talking about, RTFM and get a clue, then buy a vowel.
OK then. When you fire up NM, you see the Capture Window (Station Stats). Before you start capturing, go to the Capture menu, choose "Networks" and choose which network to monitor. That is, if you have a Modem installed, that is one network, if you have two NIC's installed, that is an additional 2 networks. You choose what network to monitor by the MAC address of the adapter connected to it.
Having chosen your network, press play on tape, to be nostalgic. In other words click on the button that looks like a "Play" button to start recording.
Check your packet count in the "Captured Statistics" frame, don't let the Frame# count get too high, or you will just get swamped by info.
When you are done recording/capturing, press the "stop" button with the glasses on it to stop capturing and start examining the packets.
To actually get some value out of this you need to have some basic (to say the least) knowledge of protocols and network technologies such as ethernet.
Lets look at some basic stuff like the tree way handshake to establish an TCP session:
Frame 1:
15 26.632 0001903A5480 4C2853000101 TCP ....S., len: 4, seq: 4539267-4539270, ack: 0, win: 8192, src: 1075 dst: 80 Training_1 207.226.241.14 IP
FRAME: Base frame properties
FRAME: Time of capture = Apr 24, 1997 21:29:53.260
FRAME: Time delta from previous physical frame: 0 milliseconds
FRAME: Frame number: 15
FRAME: Total frame length: 58 bytes
FRAME: Capture frame length: 58 bytes
FRAME: Frame data: Number of data bytes remaining = 58 (0x003A)
ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol
ETHERNET: Destination address : 4C2853000101
ETHERNET: .......0 = Individual address
ETHERNET: ......0. = Universally administered address
ETHERNET: Source address : 0001903A5480
ETHERNET: .......0 = No routing information present
ETHERNET: ......0. = Universally administered address
ETHERNET: Frame Length : 58 (0x003A)
ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol)
ETHERNET: Ethernet Data: Number of data bytes remaining = 44 (0x002C)
IP: ID = 0xDB04; Proto = TCP; Len: 44
IP: Version = 4 (0x4)
IP: Header Length = 20 (0x14)
IP: Service Type = 0 (0x0)
IP: Precedence = Routine
IP: ...0.... = Normal Delay
IP: ....0... = Normal Throughput
IP: .....0.. = Normal Reliability
IP: Total Length = 44 (0x2C)
IP: Identification = 56068 (0xDB04)
IP: Flags Summary = 2 (0x2)
IP: .......0 = Last fragment in datagram
IP: ......1. = Cannot fragment datagram
IP: Fragment Offset = 0 (0x0) bytes
IP: Time to Live = 128 (0x80)
IP: Protocol = TCP - Transmission Control
IP: Checksum = 0x00EC
IP: Source Address = 192.71.157.162
IP: Destination Address = 207.226.241.14
IP: Data: Number of data bytes remaining = 24 (0x0018)
TCP: ....S., len: 4, seq: 4539267-4539270, ack: 0, win: 8192, src: 1075 dst: 80
TCP: Source Port = 0x0433
TCP: Destination Port = Hypertext Transfer Protocol
TCP: Sequence Number = 4539267 (0x454383)
TCP: Acknowledgement Number = 0 (0x0)
TCP: Data Offset = 24 (0x18)
TCP: Reserved = 0 (0x0000)
TCP: Flags = 0x02 : ....S.
TCP: ..0..... = No urgent data
TCP: ...0.... = Acknowledgement field not significant
TCP: ....0... = No Push function
TCP: .....0.. = No Reset
TCP: ......1. = Synchronize sequence numbers
TCP: .......0 = No Fin
TCP: Window = 8192 (0x2000)
TCP: Checksum = 0x1100
TCP: Urgent Pointer = 0 (0x0)
TCP: Options
TCP: Option Kind (Maximum Segment Size) = 2 (0x2)
TCP: Option Length = 4 (0x4)
TCP: Option Value = 1460 (0x5B4)
00000: 4C 28 53 00 01 01 00 01 90 3A 54 80 08 00 45 00 L(S......:T...E.
00010: 00 2C DB 04 40 00 80 06 00 EC C0 47 9D A2 CF E2 .,..@......G....
00020: F1 0E 04 33 00 50 00 45 43 83 00 00 00 00 60 02 ...3.P.EC.....`.
00030: 20 00 11 00 00 00 02 04 05 B4 .........
Note the Frameproperties, the time & date of capture could come in handy, and also here you can see the length of the frame. At the IP level we can find things like the source and destination IP address, TTL, protocol above (TCP is this case) and the IP version number.
The TCP level gives us information about the source and destination port, we can here see that we are making an connection to the HTTP port, port 80, from port 1075.
Frame 2:
16 26.922 4C2853000101 0001903A5480 TCP .A..S., len: 4, seq:1022017429-1022017432, ack: 4539268, win:31744, src: 80 dst: 1075 207.226.241.14 Training_1 IP
FRAME: Base frame properties
FRAME: Time of capture = Apr 24, 1997 21:29:53.550
FRAME: Time delta from previous physical frame: 290 milliseconds
FRAME: Frame number: 16
FRAME: Total frame length: 58 bytes
FRAME: Capture frame length: 58 bytes
FRAME: Frame data: Number of data bytes remaining = 58 (0x003A)
ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol
ETHERNET: Destination address : 0001903A5480
ETHERNET: .......0 = Individual address
ETHERNET: ......0. = Universally administered address
ETHERNET: Source address : 4C2853000101
ETHERNET: .......0 = No routing information present
ETHERNET: ......0. = Universally administered address
ETHERNET: Frame Length : 58 (0x003A)
ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol)
ETHERNET: Ethernet Data: Number of data bytes remaining = 44 (0x002C)
IP: ID = 0x2A17; Proto = TCP; Len: 44
IP: Version = 4 (0x4)
IP: Header Length = 20 (0x14)
IP: Service Type = 0 (0x0)
IP: Precedence = Routine
IP: ...0.... = Normal Delay
IP: ....0... = Normal Throughput
IP: .....0.. = Normal Reliability
IP: Total Length = 44 (0x2C)
IP: Identification = 10775 (0x2A17)
IP: Flags Summary = 0 (0x0)
IP: .......0 = Last fragment in datagram
IP: ......0. = May fragment datagram if necessary
IP: Fragment Offset = 0 (0x0) bytes
IP: Time to Live = 55 (0x37)
IP: Protocol = TCP - Transmission Control
IP: Checksum = 0x3ADA
IP: Source Address = 207.226.241.14
IP: Destination Address = 192.71.157.162
IP: Data: Number of data bytes remaining = 24 (0x0018)
TCP: .A..S., len: 4, seq:1022017429-1022017432, ack: 4539268, win:31744, src: 80 dst: 1075
TCP: Source Port = Hypertext Transfer Protocol
TCP: Destination Port = 0x0433
TCP: Sequence Number = 1022017429 (0x3CEABF95)
TCP: Acknowledgement Number = 4539268 (0x454384)
TCP: Data Offset = 24 (0x18)
TCP: Reserved = 0 (0x0000)
TCP: Flags = 0x12 : .A..S.
TCP: ..0..... = No urgent data
TCP: ...1.... = Acknowledgement field significant
TCP: ....0... = No Push function
TCP: .....0.. = No Reset
TCP: ......1. = Synchronize sequence numbers
TCP: .......0 = No Fin
TCP: Window = 31744 (0x7C00)
TCP: Checksum = 0xB86E
TCP: Urgent Pointer = 0 (0x0)
TCP: Options
TCP: Option Kind (Maximum Segment Size) = 2 (0x2)
TCP: Option Length = 4 (0x4)
TCP: Option Value = 1460 (0x5B4)
00000: 00 01 90 3A 54 80 4C 28 53 00 01 01 08 00 45 00 ...:T.L(S.....E.
00010: 00 2C 2A 17 00 00 37 06 3A DA CF E2 F1 0E C0 47 .,*...7.:......G
00020: 9D A2 00 50 04 33 3C EA BF 95 00 45 43 84 60 12 ...P.3<....EC.`.
00030: 7C 00 B8 6E 00 00 02 04 05 B4 |..n......
This is the response from the server, this time it is FROM port 80 to port 1075 otherwise it is not very different from frame 1. Notice however that the ack field is now significant which it was not in frame 1.
Frame 3:
17 26.922 0001903A5480 4C2853000101 TCP .A...., len: 0, seq: 4539268-4539268, ack:1022017430, win: 8760, src: 1075 dst: 80 Training_1 207.226.241.14 IP
FRAME: Base frame properties
FRAME: Time of capture = Apr 24, 1997 21:29:53.550
FRAME: Time delta from previous physical frame: 0 milliseconds
FRAME: Frame number: 17
FRAME: Total frame length: 54 bytes
FRAME: Capture frame length: 54 bytes
FRAME: Frame data: Number of data bytes remaining = 54 (0x0036)
ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol
ETHERNET: Destination address : 4C2853000101
ETHERNET: .......0 = Individual address
ETHERNET: ......0. = Universally administered address
ETHERNET: Source address : 0001903A5480
ETHERNET: .......0 = No routing information present
ETHERNET: ......0. = Universally administered address
ETHERNET: Frame Length : 54 (0x0036)
ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol)
ETHERNET: Ethernet Data: Number of data bytes remaining = 40 (0x0028)
IP: ID = 0xDC04; Proto = TCP; Len: 40
IP: Version = 4 (0x4)
IP: Header Length = 20 (0x14)
IP: Service Type = 0 (0x0)
IP: Precedence = Routine
IP: ...0.... = Normal Delay
IP: ....0... = Normal Throughput
IP: .....0.. = Normal Reliability
IP: Total Length = 40 (0x28)
IP: Identification = 56324 (0xDC04)
IP: Flags Summary = 2 (0x2)
IP: .......0 = Last fragment in datagram
IP: ......1. = Cannot fragment datagram
IP: Fragment Offset = 0 (0x0) bytes
IP: Time to Live = 128 (0x80)
IP: Protocol = TCP - Transmission Control
IP: Checksum = 0xFFEF
IP: Source Address = 192.71.157.162
IP: Destination Address = 207.226.241.14
IP: Data: Number of data bytes remaining = 20 (0x0014)
TCP: .A...., len: 0, seq: 4539268-4539268, ack:1022017430, win: 8760, src: 1075 dst: 80
TCP: Source Port = 0x0433
TCP: Destination Port = Hypertext Transfer Protocol
TCP: Sequence Number = 4539268 (0x454384)
TCP: Acknowledgement Number = 1022017430 (0x3CEABF96)
TCP: Data Offset = 20 (0x14)
TCP: Reserved = 0 (0x0000)
TCP: Flags = 0x10 : .A....
TCP: ..0..... = No urgent data
TCP: ...1.... = Acknowledgement field significant
TCP: ....0... = No Push function
TCP: .....0.. = No Reset
TCP: ......0. = No Synchronize
TCP: .......0 = No Fin
TCP: Window = 8760 (0x2238)
TCP: Checksum = 0x29F4
TCP: Urgent Pointer = 0 (0x0)
00000: 4C 28 53 00 01 01 00 01 90 3A 54 80 08 00 45 00 L(S......:T...E.
00010: 00 28 DC 04 40 00 80 06 FF EF C0 47 9D A2 CF E2 .(..@......G....
00020: F1 0E 04 33 00 50 00 45 43 84 3C EA BF 96 50 10 ...3.P.EC.<...P.
00030: 22 38 29 F4 00 00 "8)...
This is basically the ack from the client, and the last packet in the sequence. A session is now established, and we might start transferring commands and data. A typical thing to follow here would be this next frame I am going to show you, a standard HTTP GET request.
Frame 4:
18 26.942 0001903A5480 4C2853000101 TCP .AP..., len: 375, seq: 4539268-4539642, ack:1022017430, win: 8760, src: 1075 dst: 80 Training_1 207.226.241.14 IP
FRAME: Base frame properties
FRAME: Time of capture = Apr 24, 1997 21:29:53.570
FRAME: Time delta from previous physical frame: 20 milliseconds
FRAME: Frame number: 18
FRAME: Total frame length: 429 bytes
FRAME: Capture frame length: 429 bytes
FRAME: Frame data: Number of data bytes remaining = 429 (0x01AD)
ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol
ETHERNET: Destination address : 4C2853000101
ETHERNET: .......0 = Individual address
ETHERNET: ......0. = Universally administered address
ETHERNET: Source address : 0001903A5480
ETHERNET: .......0 = No routing information present
ETHERNET: ......0. = Universally administered address
ETHERNET: Frame Length : 429 (0x01AD)
ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol)
ETHERNET: Ethernet Data: Number of data bytes remaining = 415 (0x019F)
IP: ID = 0xDD04; Proto = TCP; Len: 415
IP: Version = 4 (0x4)
IP: Header Length = 20 (0x14)
IP: Service Type = 0 (0x0)
IP: Precedence = Routine
IP: ...0.... = Normal Delay
IP: ....0... = Normal Throughput
IP: .....0.. = Normal Reliability
IP: Total Length = 415 (0x19F)
IP: Identification = 56580 (0xDD04)
IP: Flags Summary = 2 (0x2)
IP: .......0 = Last fragment in datagram
IP: ......1. = Cannot fragment datagram
IP: Fragment Offset = 0 (0x0) bytes
IP: Time to Live = 128 (0x80)
IP: Protocol = TCP - Transmission Control
IP: Checksum = 0xFD78
IP: Source Address = 192.71.157.162
IP: Destination Address = 207.226.241.14
IP: Data: Number of data bytes remaining = 395 (0x018B)
TCP: .AP..., len: 375, seq: 4539268-4539642, ack:1022017430, win: 8760, src: 1075 dst: 80
TCP: Source Port = 0x0433
TCP: Destination Port = Hypertext Transfer Protocol
TCP: Sequence Number = 4539268 (0x454384)
TCP: Acknowledgement Number = 1022017430 (0x3CEABF96)
TCP: Data Offset = 20 (0x14)
TCP: Reserved = 0 (0x0000)
TCP: Flags = 0x18 : .AP...
TCP: ..0..... = No urgent data
TCP: ...1.... = Acknowledgement field significant
TCP: ....1... = Push function
TCP: .....0.. = No Reset
TCP: ......0. = No Synchronize
TCP: .......0 = No Fin
TCP: Window = 8760 (0x2238)
TCP: Checksum = 0x28B9
TCP: Urgent Pointer = 0 (0x0)
TCP: Data: Number of data bytes remaining = 375 (0x0177)
00000: 4C 28 53 00 01 01 00 01 90 3A 54 80 08 00 45 00 L(S......:T...E.
00010: 01 9F DD 04 40 00 80 06 FD 78 C0 47 9D A2 CF E2 ....@....x.G....
00020: F1 0E 04 33 00 50 00 45 43 84 3C EA BF 96 50 18 ...3.P.EC.<...P.
00030: 22 38 28 B9 00 00 47 45 54 20 2F 76 61 2F 64 69 "8(...GET /va/di
00040: 67 69 74 61 6C 64 61 72 6B 6E 65 73 73 2F 20 48 gitaldarkness/ H
00050: 54 54 50 2F 31 2E 30 0D 0A 41 63 63 65 70 74 3A TTP/1.0..Accept:
00060: 20 69 6D 61 67 65 2F 67 69 66 2C 20 69 6D 61 67 image/gif, imag
00070: 65 2F 78 2D 78 62 69 74 6D 61 70 2C 20 69 6D 61 e/x-xbitmap, ima
00080: 67 65 2F 6A 70 65 67 2C 20 69 6D 61 67 65 2F 70 ge/jpeg, image/p
00090: 6A 70 65 67 2C 20 61 70 70 6C 69 63 61 74 69 6F jpeg, applicatio
000A0: 6E 2F 6D 73 77 6F 72 64 2C 20 2A 2F 2A 0D 0A 52 n/msword, */*..R
000B0: 65 66 65 72 65 72 3A 20 68 74 74 70 3A 2F 2F 66 eferer: http://f
000C0: 61 72 61 68 62 61 6B 68 73 68 69 61 6E 2E 63 6F arahbakhshian.co
000D0: 6D 2F 6F 6D 6E 69 2F 6F 6D 6E 69 2E 68 74 6D 6C m/omni/omni.html
000E0: 0D 0A 41 63 63 65 70 74 2D 4C 61 6E 67 75 61 67 ..Accept-Languag
000F0: 65 3A 20 73 76 2C 20 65 6E 0D 0A 55 41 2D 70 69 e: sv, en..UA-pi
00100: 78 65 6C 73 3A 20 31 30 32 34 78 37 36 38 0D 0A xels: 1024x768..
00110: 55 41 2D 63 6F 6C 6F 72 3A 20 63 6F 6C 6F 72 38 UA-color: color8
00120: 0D 0A 55 41 2D 4F 53 3A 20 57 69 6E 64 6F 77 73 ..UA-OS: Windows
00130: 20 4E 54 0D 0A 55 41 2D 43 50 55 3A 20 78 38 36 NT..UA-CPU: x86
00140: 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F ..User-Agent: Mo
00150: 7A 69 6C 6C 61 2F 32 2E 30 20 28 63 6F 6D 70 61 zilla/2.0 (compa
00160: 74 69 62 6C 65 3B 20 4D 53 49 45 20 33 2E 30 42 tible; MSIE 3.0B
00170: 3B 20 57 69 6E 33 32 29 0D 0A 48 6F 73 74 3A 20 ; Win32)..Host:
00180: 77 77 77 2E 61 6E 67 65 6C 66 69 72 65 2E 63 6F www.angelfire.co
00190: 6D 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B m..Connection: K
001A0: 65 65 70 2D 41 6C 69 76 65 0D 0A 0D 0A eep-Alive....
Note that you can, in addition to the general header information, also read the data. Which is very easy in this case because we get it all in clear text. I am not going to explain the workings of the HTTP protocol for you, you can very well find that out on your own you lazy asses!
That is all I am going to say this time, have fun!
Back Next
