Reading Packet Hex Dumps Manually - No Wireshark!

One of the things I have learned over the years was how useful being able to read a hex-dump of a packet can be without Wireshark. Reading Hex-dumps, header specifications and calculating hex to decimal can be frustrating, but I'll try and break it down into an easy to follow tutorial. If your still interested and/or you are one of my students - read on!

Bits Vs. Bytes

Computers function on the most basic premise of Bits and Bytes. To be able to read a packet dump, you must understand these core terms.

  • A BIT is the most basic value in computing – either 1 or 0
  • A BYTE is 8 BITS

Converting Hexadecimal values to Decimal

If you recall: Hexidecimal is an easier way to display information Vs. reading Binary and Hex values ranges between 0-9 and A-F (10-15). In other words- hexadecimal has 16 values which is much more human friendly!

Example: 0x15A
Reading right to left
(1*16*16)+(5*16)+(10*1)
256 + 80 + 10
= 346 in decimal

Converting Hexadecimal values to Binary

OK, now that you know how to convert hexadecimal to decimal, lets convert hexadecimal to binary which requires an intermediate step of converting it to decimal and then to binary.

Example: 0x81
Reading right to left
=(8*16)+(1*1)
=128 + 1
= 129 in decimal

Now remember your powers of two - what 2^x fits into 129?
The answer is 2^7 is 128
= 2^7 + 2^0
From right to left
= 10000000 + 00000001 ( I cheated a bit on the binary addition, but if you want to know more.. look it up)
= 10000001 in binary

The Anatomy of A Network Transmission

Moving forward - A frame is "the unit of transmission in a link layer protocol, and consists of a link-layer header followed by a packet." In other words, a frame's contents look like:

  1. Ethernet Header (is 14 bytes in size)
  2. IP Header (usually and is 20 bytes in size)
  3. Protocol Header (usually ICMP,UDP or TCP)
  4. Payload(optional)
    1. Ethernet Header

      The Ethernet header is the first header of the potential three in the frame - there are other types of headers or protocols, but for the purpose of this tutorial we will just focus on Ethernet, IP, TCP, UDP and ICMP. If we ignore the 8 bits that are in the preamble (Wireshark does this too!), then there are just 14 bytes in the header. 6 bytes for the source MAC address, 6 bytes for the destination MAC address and 2 bytes for the Type (this discounts VLAN shimming). If this is an IP packet, the type will be 08 00.

      IP Header

      The IP header is the second header of the potential three in the frame.

      UDP Header

      The UDP header is the second header of the potential three in the frame.

      TCP Header

      The TCP header is another potential header of the three in the frame.

      ICMP Header

      The ICMP header is another potential header of the three in the frame

      OK So Now What?

      You are probably thinking, okay, I see a bunch of fields, bits and bytes and I have no idea what they mean... Have no fear; this is what you need to do.. start off with this packet hex dump:

      Each of those double groupings of letters/numbers equal 1 byte. If you look at the highlighted part of the image (this is the packet dump, the other numbers to the left are for reference) then 00 is 1 BYTE! And now you remember that 1 Byte is 8 bits and that each of these header specifications is 32 bits across.

      Now lets look at the same packet dump, but marked up to show where the boundaries are.

      Reviewing the Ethernet Header

      You can see that 00 is one byte, the Ethernet header is 14 bytes - WAIT! How is the Ethernet Header 14 bytes??? This is determined by the Protocol specification - so if you look back up at the Ethernet Header, you can see that it is made up of two 6 byte fields plus another 2 byte type field. In other words, it is telling you that: the source MAC address is 54:04:A6:3C:ED:2B, the destination MAC address is 00:15:6D:C4:27:4B , and the Ether-type is 0800 which means that the IP Header is next. 0800 is the code for IP.

      Reviewing the IP Header

      The IP header has a few important fields, but mostly we are just interested in the protocol and IP address fields. From looking at the diagram, we can see that the Protocol field is 9th bytes in and on your 10 - you are there. In this case the protocol field is 06 which is TCP (UDP is 11, which is code 17 in decimal!). This means that the following header will be a TCP header.

      Before we move onto the TCP header, lets calculate the source and destination IP addresses by finding the start of the source IP address - this is at bytes 13-16: C0 A8 02 65 and the destination IP address is at bytes 17-20: C7 3B 96 2A. To convert these bytes into an IP address, you must convert each of the 4 bytes to decimal. In other words:
      C0 =192, A8 = 168, 02 = 2 and 65 = 101. As a result the source IP address is 192.168.2.101.

      Reviewing the TCP Header

      Great if you have made it this far, your almost there to having most of the basics on figuring out what kind of TCP packet this is! Again from the TCP diagram above, we know that without any padding or extra proprietary data, the TCP header is 20 bytes long. If you didn't know what headers had been before this one, you could guesstimate by the number of bytes and work your way towards the potential packet header specification.

      From the specification, we know that the first 2 bytes are the Source Port, and the following 2 bytes are the Destination Port - to get these values just convert the hexadecimal to decimal.

      Unfortunately, getting the TCP flags requires a bit more leg work. From the start of the TCP header, count 13 bytes and the 14th bytes is the flags field! And the flags in hex are 50 11. Okay so lets convert the hexadecimal to binary so we can find out what bits have been set - each flag is one bit.

      0x5011 is equal to 01010000 00010001

      We aren't concerned with the first byte or 8 bits, so looking at the last byte, we can see that the 4th and 8th bit are set which alternatively is ACK and FIN.

      Congratulations! You now hopefully understand the process required to read a hex dump of almost any packet (that follows standards). This can be a very useful skill for security professionals and developers alike! For a complete packet with translation - see this Wireshark screenshot

      References

      Information liberally borrowed and compiled from:

      http://www.sans.org/security-resources/tcpip.pdf

Comments

Thanks

Wonderful explanation, thanks a lot

Hi,

Hi, "[...] other words, it is telling you that: the source MAC address is 00:15:6D:C4:27:4B, the destination MAC address is 54:04:A6:3C:ED:EB, and the Ether-type is 0800 which means that the IP Header is next. 0800 is the code for IP." According to the picture, the Ethernet header first specifies the destination MAC address and then the destination MAC address. Your explanation is the other way around. So, correct would be: "... the source MAC address is 54:04:A6:3C:ED:EB, the destination MAC address is 00:15:6D:C4:27:4B, ..." Or am I mistaking? Thanks for the great explanation though! Martijn

@Martijn, I think you catch

@Martijn, I think you catch the mistake, but you did mistake too when commenting. Do you think you described it correctly?

For TCP, it should be the

For TCP, it should be the first 2 bytes are the source port and followed by the next 2 byes should be the destination port since the TCP protocol defines the source and destination to be 16 bits each. You have it explained as 4 bytes each for the source and destination. But awesome explanation.
admin's picture

Great catch - it should

Great catch - it should reflect the changes once the site cache updates.

[Ethernet Header:] 6 bytes

[Ethernet Header:] 6 bytes for the source MAC address, 6 bytes for the destination MAC address and 4 bytes for the Type. If this is an IP packet, the type will be 08 00. The Ethertype is only 2 Bytes long, not 4 Bytes.

Nice One Sir.I was not at all

Nice One Sir.I was not at all understanding before I went through ur documentation.Now I can easily decipher what is what in the dataframe..:)

Nice work :)

Nice work :)

Hi

Hi I have a question. IS first byte in IP header the Total length of the packet (45 in this example?)
admin's picture

No, the first byte of the IP

No, the first byte of the IP header (byte 0) contains two items of information: The first nibble is the version number; in IPv4, this value is 0x4. The second nibble in an IPv4 packet is the number of 32-bit (4-byte) words in the IP Header; the standard IPv4 Header is 20 bytes in length, so this value is 0x5.

I really don't get this

I really don't get this diagram: https://www.pacificsimplicity.ca/sites/default/files/uploads/ethernet_hdr_0.png The dest is 6 bytes, the src is 6 bytes and the type is 2 bytes. 1.) What are the 01 02 03 04 05 06 07 08 09 10....numbers across the top? 2.) If dest and src are both 6 bytes, how can their shaded/colored part be different? The diagram makes it seems as though the "type" is part of the src address if the src is 6 and is only shaded for 4 bytes according to the diagram. All that said, is this diagram a good representation of the Ethernet header? Do you have a diagram that is less confusing or more accurate? Thanks!

Thanks,

Thanks, Very useful information. There are some online tools that also does the trick. http://packetor.com is one of them.

don't know if this is a typo.

don't know if this is a typo. In "Reviewing the Ethernet Header" section, it says "it is telling you that: the source MAC address is 54:04:A6:3C:ED:EB,". But I'm reading 2B from the screen shot, right before 08 00 bytes for Ethertype. So the source MAC address should be 54:04:A6:3C:ED:2B.

Thanks so much, had to learn

Thanks so much, had to learn for a course and they don't explain anything. This is a life saver

This was absolutely wonderful

This was absolutely wonderful. Thank you for this article. I understand so much more about binary and networking than I ever have before. This article helped me piece so many unknown rules in networking together and make sense of it all. Thank you!
admin's picture

Thanks! Nice to hear a

Thanks! Nice to hear a comment such as yours. Thats why I write these posts :)

Awesome, This is invaluable

Awesome, This is invaluable for me when I take my GSEC test next week which asks around 5 of these exact questions without wireshark at my disposal!!

There is a minor typo in the

There is a minor typo in the "Converting Hexadecimal values to Binary" section. You state "...Hex values ranges between 0-9 and A-F (0-15)...". It should be "A-F (10-15)"

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd> <python> <c>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
By submitting this form, you accept the Mollom privacy policy.