A packet sniffer captures packets from the Ethernet bus. The network interface card (NIC) acts in a mode called promiscious mode. Promiscious mode means that the NIC can look at all traffic on the wire and not just to traffic addressed to itself. Normally, the NIC ignores all traffic except for packets addressed to itself, multicasts and broadcast packets.
In the old days, you would have to manually "take apart" the packet from the captured hexadecimal digits. Now, there are excellent free open source packet capture apps that do it for you. The best known one and the one that I use is called Wireshark - highly recommended as there are versions for both Windows and Unix.
The following captured packet is displayed in raw format. Raw format is hexadecimal numbers in rows of 16 digits.
FF FF FF FF FF FF 00 20 AF 10 9A C0 00 25 E0 E0 03 FF FF 00 22 00 11 00 00 00 00 FF FF FF FF FF FF 04 52 00 00 00 00 00 20 AF 10 9A C0 40 0B 00 01 00 04 00 00 00 00 00 00 00 00 00
Raw Captured Packet
Raw captured packets do not display the Preamble, Start Frame Delimiter and the Frame Check Sequence fields. These fields are used to inform the receiving station of a new frame and for error checking.
The breakdown of the packet is according to the Ethernet MAC frame and as follows:
The length of the data in the Info field is 0025h or 37 bytes long. The minimum Info field size is 46 bytes so the data is padded with 9 bytes of 00h.
The Length/Type field value is less than 05DCh (1500 in decimal) which indicates that it is an Ethernet_802.2 frame (IEEE 802.3) with a Logical Link Control layer (covered later) between the MAC layer and the Network layer.
If the value was 0800h, it would indicate an Ethernet_II frame used for TCP/IP.
If it were 8137, it would indicate an Ethernet_802.3 (raw) frame used by pre 3.12 Netware.
The complete listing of the Length/Type field assignments is covered in Ethernet Type Field page.
Looking at the MAC block diagram, the data from the Info field is shown broken down (up to be more exact) into the higher levels: Logical Link Control layer, Network layer and the Transport layer. Note: A thorough knowledge of each of the layers and quite a few handy reference books are required in order to determine exactly what is happening. The remaining layers will be examined as an example only.
NOTE: Modern packet sniffer will break down the raw packet's fields for you.
The first 3 bytes of the data in the Ethernet frame Info field is the header of the Logical Link Control layer (LLC IEEE 802.2).
1st byte: E0 Destination Service Access Port (DSAP) 2nd byte: E0 Source Service Access Port (SSAP) 3rd byte: 03 Control code
E0h indicates that it is a Novell Netware stack talking (source) to a Novell Netware stack (destination). The 03h is the LLC layer's handshaking. The size of the LLC's Data field is 34 bytes.
The data of the LLC layer becomes the header and data of the layer above it which is the Network layer. In this case, it is an IPX PDU (Protocol Data Unit) which is indicated by the first 2 bytes being FFFFh - the IPX checksum.
(Hex) 1st 2 bytes: FFFF IPX Checksum (always FFFFh, FCS does error checking) Next 2 bytes: 0022 IPX PDU length allowable range 001Eh (30) to 0240h (576) Next byte: 00 Transport control field - hop count, allowed 00 to 0Fh (15) Next byte: 11 Packet Type 11h (17) is Netware Core Protocol (NCP) Next 4 bytes: 00000000 Destination network address, all 0s indicate local network Segment number in server autoexec.ncf file Next 6 bytes: FFFFFFFFFFFF Destination host address (same as dest MAC address) Next 2 bytes: 0452 Destination socket , Service Advertising Protocol Next 4 bytes: 00000000 Source network address (all 0s indicate local network) Next 6 bytes: 0020AF109AC0 Source host address (same as soruce MAC address) Next 2 bytes: 400B Source socket (arbitrarily assigned starting at 4000h) Last 4 bytes: Data
The following tables describe the field values for the IPX PDU's packet type and Socket numbers:
Packet Type Field Value Purpose NLSP 00h Netware Link Services Protocol RIP 01h Routing Information Protocol SAP 04h Service Advertising Protocol SPX 05h Sequenced Packet Exchange NCP 11h Netware Core Protocol NetBIOS 14h NetBIOS and other propagated packets
Netware Socket Numbers and Processes
Socket Number Process 451h Netware Core Protocol (NCP) 452h Service Advertising Protocol (SAP) 453h Routing Information Protocol (RIP) 455h Novell NetBIOS 456h Diagnostics 9001 Netware Link Services Protocol (NLSP) 9004 IPXWAN Protocol
The Network layer's Data field becomes the Transport layer's PDU. In this case it is only 4 bytes long.
1st 2 bytes: 0001 Packet type (Standard Server Request) Next 2 bytes: 0004 Service type (file server)
The following tables describe the values of the Service Advertising Protocol's Packet Type and Service Type fields:
Field Value (hex) Packet Type 01 Standard Server Request 02 Standard Server Reply 03 Nearest Server Request 04 Nearest Server Reply
SAP Packet Types
Field Value (hex) Service Type 0000 Unknown 0003 Print Queue 0004 File Server 0005 Job Server 0007 Print Server 0009 Archive Server 0024 Remote Bridge Server 0047 Advertising Print Server 8000 All values are reserved up to 8000 FFFF Wildcard
Example Packet Sniffing Summary
This packet is commonly called a Standard Server Request that is broadcast (Destination FF-FF-FF-FF-FF-FF) on the local network (00-00-00-00) from a Novell Netware client. The client is looking for a file server to login in to. The server would respond with a Server Advertising Protocol PDU listing its services.
This is the packet broken down graphcially - it is easier to see what is happening
If this page has helped you, please consider donating $1.00 to support the cost of hosting this site, thanks.