Packet Sniffing

A packet sniffer captures packets from the Ethernet bus. The network interface card (NIC) acts in a mode called promiscious mode. Promiscious mode means that the NIC can look at all traffic on the wire and not just to traffic addressed to itself. Normally, the NIC ignores all traffic except for packets addressed to itself, multicasts and broadcast packets.

In the old days, you would have to manually "take apart" the packet from the captured hexadecimal digits. Now, there are excellent free open source packet capture apps that do it for you. The best known one and the one that I use is called Wireshark - highly recommended as there are versions for both Windows and Unix.

The following captured packet is displayed in raw format. Raw format is hexadecimal numbers in rows of 16 digits.

FF  FF  FF  FF  FF  FF  00  20  AF  10  9A  C0  00  25  E0  E0
03  FF  FF  00  22  00  11  00  00  00  00  FF  FF  FF  FF  FF
FF  04  52  00  00  00  00  00  20  AF  10  9A  C0  40  0B  00
01  00  04  00  00  00  00  00  00  00  00  00

Raw Captured Packet

Raw captured packets do not display the Preamble, Start Frame Delimiter and the Frame Check Sequence fields. These fields are used to inform the receiving station of a new frame and for error checking.

The breakdown of the packet is according to the Ethernet MAC frame and as follows:

1st 6 bytes:FF-FF-FF-FF-FF-FFDestination MAC address
2nd 6 bytes:00-20-AF-10-9A-C0 Source MAC address
Next 2 bytes:0025Length/Type field - IEEE 802.3 frame
Next 37 bytesData
Last 9 bytesall 00sPad

The length of the data in the Info field is 0025h or 37 bytes long. The minimum Info field size is 46 bytes so the data is padded with 9 bytes of 00h.

The Length/Type field value is less than 05DCh (1500 in decimal) which indicates that it is an Ethernet_802.2 frame (IEEE 802.3) with a Logical Link Control layer (covered later) between the MAC layer and the Network layer.

If the value was 0800h, it would indicate an Ethernet_II frame used for TCP/IP.

If it were 8137, it would indicate an Ethernet_802.3 (raw) frame used by pre 3.12 Netware.

The complete listing of the Length/Type field assignments is covered in Ethernet Type Field page.

Looking at the MAC block diagram, the data from the Info field is shown broken down (up to be more exact) into the higher levels: Logical Link Control layer, Network layer and the Transport layer. Note: A thorough knowledge of each of the layers and quite a few handy reference books are required in order to determine exactly what is happening. The remaining layers will be examined as an example only.

NOTE: Modern packet sniffer will break down the raw packet's fields for you.

LLC Layer

The first 3 bytes of the data in the Ethernet frame Info field is the header of the Logical Link Control layer (LLC IEEE 802.2).

 1st byte: E0 Destination Service Access Port (DSAP)
 2nd byte: E0 Source Service Access Port (SSAP)
 3rd byte: 03 Control code

E0h indicates that it is a Novell Netware stack talking (source) to a Novell Netware stack (destination). The 03h is the LLC layer's handshaking. The size of the LLC's Data field is 34 bytes.

Network Layer

The data of the LLC layer becomes the header and data of the layer above it which is the Network layer. In this case, it is an IPX PDU (Protocol Data Unit) which is indicated by the first 2 bytes being FFFFh - the IPX checksum.

	1st 2 bytes:	FFFF		IPX Checksum (always FFFFh, FCS does error checking)
	Next 2 bytes:	0022		IPX PDU length allowable range 001Eh (30) to 0240h (576)
	Next byte:	00		Transport control field - hop count, allowed 00 to 0Fh (15)
	Next byte:	11		Packet Type 11h (17) is Netware Core Protocol (NCP)
	Next 4 bytes:	00000000	Destination network address, all 0s indicate local
					Segment number in server autoexec.ncf file
	Next 6 bytes:	FFFFFFFFFFFF	Destination host address (same as dest MAC address)
	Next 2 bytes:	0452		Destination socket , Service Advertising Protocol
	Next 4 bytes:	00000000	Source network address (all 0s indicate local network)
	Next 6 bytes:	0020AF109AC0	Source host address (same as soruce MAC address)
	Next 2 bytes:	400B		Source socket (arbitrarily assigned starting at 4000h)
	Last 4 bytes:	Data

The following tables describe the field values for the IPX PDU's packet type and Socket numbers:

	Packet Type	Field Value 	Purpose

	NLSP		00h		Netware Link Services Protocol
	RIP		01h		Routing Information Protocol
	SAP		04h		Service Advertising Protocol
	SPX		05h		Sequenced Packet Exchange
	NCP		11h		Netware Core Protocol
	NetBIOS		14h		NetBIOS and other propagated packets

IPX Packet Type Field

Netware Socket Numbers and Processes

 Socket Number  Process
  451h  Netware Core Protocol (NCP)
  452h  Service Advertising Protocol (SAP)
  453h  Routing Information Protocol (RIP)
  455h  Novell NetBIOS
  456h  Diagnostics
  9001  Netware Link Services Protocol (NLSP)
  9004  IPXWAN Protocol

Transport Layer

The Network layer's Data field becomes the Transport layer's PDU. In this case it is only 4 bytes long.

 1st 2 bytes: 0001 Packet type (Standard Server Request)
 Next 2 bytes: 0004 Service type (file server)

The following tables describe the values of the Service Advertising Protocol's Packet Type and Service Type fields:

 Field Value (hex) Packet Type
  01  Standard Server Request
  02  Standard Server Reply
  03  Nearest Server Request
  04  Nearest Server Reply

SAP Packet Types

 Field Value (hex) Service Type
  0000  Unknown
  0003  Print Queue
  0004  File Server
  0005  Job Server
  0007  Print Server
  0009  Archive Server
  0024  Remote Bridge Server
  0047  Advertising Print Server
  8000  All values are reserved up to 8000
  FFFF  Wildcard

Example Packet Sniffing Summary

This packet is commonly called a Standard Server Request that is broadcast (Destination FF-FF-FF-FF-FF-FF) on the local network (00-00-00-00) from a Novell Netware client. The client is looking for a file server to login in to. The server would respond with a Server Advertising Protocol PDU listing its services.

This is the packet broken down graphcially - it is easier to see what is happening

If this page has helped you, please consider donating $1.00 to support the cost of hosting this site, thanks.

Return to

TelecomWorld 101

Copyright July 2013 Eugene Blanchard