Here is an image of a packet captured (I do not have full image, only this snippet). From it, I know that 0x4500 means it indicated the IP version is IPv4. But how do i indicate what is the source and destination address? Is there an easy way to see and determine which?
Asked
Active
Viewed 181 times
-1
-
You should be familiar with [RFC 791](https://www.rfc-editor.org/rfc/rfc791.html#section-3.1) that is the definition of IPv4. – Ron Maupin Oct 01 '21 at 19:45
-
Actually, it is only the `4` that indicates it is IPv4. The other numbers in the `4500` have other meanings. – Ron Maupin Oct 01 '21 at 19:46
1 Answers
0
Apologies for my "paint" with mouse skill. The general idea is this.
You take a header format and match it byte by byte.
To find protocol numbers one needs to read an appropriate registry. For IP this registry is IANA registry for protocol numbers. Most protocols standardized by IETF has similar IANA registries. The registry should be listed in protocol specification.
Effie
- 758
- 5
- 15
-
thank you, the drawing is really helpful. Though, what do you mean by "one needs to determine next protocol and parse next header"? what is the purpose of this? @Effie – Skyb Oct 02 '21 at 17:12
-
if you want to continue parsing the packet, you would start parsing next header from the "content starts here" point. What next header is is "written" in the protocol field. You need to "read" the value, check the protocol registry, and then find format of next header to parse the packet further. In this example, you go to the link and looks up header number 6, which returns TCP. Then you can open TCP header format and repeat the procedure. – Effie Oct 02 '21 at 17:26