One of the things I have learned over the years was how useful being able to read a hex-dump of a packet can be without Wireshark. Reading Hex-dumps, header specifications and calculating hex to decimal can be frustrating, but I'll try and break it down into an easy to follow tutorial. If your still interested and/or you are one of my students - read on!
Bits Vs. Bytes
Computers function on the most basic premise of Bits and Bytes. To be able to read a packet dump, you must understand these core terms.
- A BIT is the most basic value in computing – either 1 or 0
- A BYTE is 8 BITS
Converting Hexadecimal values to Decimal
If you recall: Hexidecimal is an easier way to display information Vs. reading Binary and Hex values ranges between 0-9 and A-F (10-15). In other words- hexadecimal has 16 values which is much more human friendly!
Reading right to left
256 + 80 + 10
= 346 in decimal
Converting Hexadecimal values to Binary
OK, now that you know how to convert hexadecimal to decimal, lets convert hexadecimal to binary which requires an intermediate step of converting it to decimal and then to binary.
Reading right to left
=128 + 1
= 129 in decimal
Now remember your powers of two - what 2^x fits into 129?
The answer is 2^7 is 128
= 2^7 + 2^0
From right to left
= 10000000 + 00000001 ( I cheated a bit on the binary addition, but if you want to know more.. look it up)
= 10000001 in binary
The Anatomy of A Network Transmission
Moving forward - A frame is "
- Ethernet Header (is 14 bytes in size)
- IP Header (usually and is 20 bytes in size)
- Protocol Header (usually ICMP,UDP or TCP)
The Ethernet header is the first header of the potential three in the frame - there are other types of headers or protocols, but for the purpose of this tutorial we will just focus on Ethernet, IP, TCP, UDP and ICMP. If we ignore the 8 bits that are in the preamble (Wireshark does this too!), then there are just 14 bytes in the header. 6 bytes for the source MAC address, 6 bytes for the destination MAC address and 2 bytes for the Type (this discounts VLAN shimming). If this is an IP packet, the type will be 08 00.
The IP header is the second header of the potential three in the frame.
The UDP header is the second header of the potential three in the frame.
The TCP header is another potential header of the three in the frame.
The ICMP header is another potential header of the three in the frame
OK So Now What?
You are probably thinking, okay, I see a bunch of fields, bits and bytes and I have no idea what they mean... Have no fear; this is what you need to do.. start off with this packet hex dump:
Each of those double groupings of letters/numbers equal 1 byte. If you look at the highlighted part of the image (this is the packet dump, the other numbers to the left are for reference) then 00 is 1 BYTE! And now you remember that 1 Byte is 8 bits and that each of these header specifications is 32 bits across.
Now lets look at the same packet dump, but marked up to show where the boundaries are.
Reviewing the Ethernet Header
You can see that 00 is one byte, the Ethernet header is 14 bytes - WAIT! How is the Ethernet Header 14 bytes??? This is determined by the Protocol specification - so if you look back up at the Ethernet Header, you can see that it is made up of two 6 byte fields plus another 2 byte type field. In other words, it is telling you that: the source MAC address is 54:04:A6:3C:ED:2B, the destination MAC address is 00:15:6D:C4:27:4B , and the Ether-type is 0800 which means that the IP Header is next. 0800 is the code for IP.
Reviewing the IP Header
The IP header has a few important fields, but mostly we are just interested in the protocol and IP address fields. From looking at the diagram, we can see that the Protocol field is 9th bytes in and on your 10 - you are there. In this case the protocol field is 06 which is TCP (UDP is 11, which is code 17 in decimal!). This means that the following header will be a TCP header.
Before we move onto the TCP header, lets calculate the source and destination IP addresses by finding the start of the source IP address - this is at bytes 13-16: C0 A8 02 65 and the destination IP address is at bytes 17-20: C7 3B 96 2A. To convert these bytes into an IP address, you must convert each of the 4 bytes to decimal. In other words:
C0 =192, A8 = 168, 02 = 2 and 65 = 101. As a result the source IP address is 192.168.2.101.
Reviewing the TCP Header
Great if you have made it this far, your almost there to having most of the basics on figuring out what kind of TCP packet this is! Again from the TCP diagram above, we know that without any padding or extra proprietary data, the TCP header is 20 bytes long. If you didn't know what headers had been before this one, you could guesstimate by the number of bytes and work your way towards the potential packet header specification.
From the specification, we know that the first 2 bytes are the Source Port, and the following 2 bytes are the Destination Port - to get these values just convert the hexadecimal to decimal.
Unfortunately, getting the TCP flags requires a bit more leg work. From the start of the TCP header, count 13 bytes and the 14th bytes is the flags field! And the flags in hex are 50 11. Okay so lets convert the hexadecimal to binary so we can find out what bits have been set - each flag is one bit.
0x5011 is equal to 01010000 00010001
We aren't concerned with the first byte or 8 bits, so looking at the last byte, we can see that the 4th and 8th bit are set which alternatively is ACK and FIN.
Congratulations! You now hopefully understand the process required to read a hex dump of almost any packet (that follows standards). This can be a very useful skill for security professionals and developers alike! For a complete packet with translation - see this Wireshark screenshot
Information liberally borrowed and compiled from: