00 13 72 8c be e1 00 90 1a 42 85 10 81 00 00 02 08 00 45 00 00 28 83 e5 40 00 7e 06 37 b7 7a a0 0b 2f 7a a0 40 c4 0e 99 01 bd ef cf 3c 3e bd 6a eb 69 50 10 fb 09 8e 5e 00 00 00 00 00 00 00 00
“Hmph. Another packet dump…”
“Ok, what kind of packet is it? Let me see -- offset 12, 2 bytes is 8100 ok it is a VLAN frame, so skip 4 bytes and we get 0800 -- so, of course it is an IP pkt -- easy!”
“What’s the IP payload -- TCP, UDP or something else? I need to look at the IP protocol id -- hmmm, now what offset is that? <some google search> ah offset 9 from start of IP header, so 14 bytes is ethernet header + 4 bytes VLAN + 9 bytes i.e. I need to look at offset 27 … wait, how many bytes is protocol id? <some more google search> ok 1 byte wide -- so 1 byte at offset 27 is 06 -- but what protocol is 06 <still more google search> TCP -- its a TCP packet”
“What application does the TCP port numbers indicate? And what about source and destination IP? Is it a fragment? First, middle or last? <more google search, more counting, number crunching, converting from hex to decimal etc.> OK – dst TCP port is 445, so application is Microsoft Directory Services, src ip is 18.104.22.168 and dst is 22.214.171.124, it is unfragment packet with DF bit set -- phew!”
“Hey, btw is the IP checksum correct?”
“WHAT? <unprintable stuff>”
Deja vu? Remember having a similar conversation with yourself at some point in time?
Working with packet hex dumps is can become painful at times. We might have hex dumps from test logs, as debugging output etc.
Manually decoding these hexdumps to identify the type of packet and packet contents is not only time consuming but also fraught with danger of decoding it incorrectly.
The tool you need to fulfill your protocol decoding needs is -- “pdd” or “Packet Dump Decode” -- a small GUI in which you can just cut-paste the hexdump, hit the “Decode” button and voila -- you have a decoded pkt! (Of course, if it is a badly formatted hexdump, you might have edit it a bit, before it may be able to decode at all or decode correctly!)
- pdd is a wrapper around tools shipped with Wireshark or Ethereal
- Can work with either Wireshark or Ethereal -- but needs atleast one!
- Tries to auto locate Wireshark or Ethereal when run for the first time
- If it can’t find it, you can set the location manually
- Remembers the location for the next run via a .ini file -- no messing with the registry
- Packaged as a portable zip file -- just unzip and you are good to go. No installer -- no scattered files on disk, no mess in registry
The following snapshot shows the output after pasting the hexdump given in the beginning of the post in to pdd and clicking on Decode. As you would notice, it decodes the whole hex dump and provides information in a readable packet field format.
pdd is hosted and available from googlecode. It is copyright © Srivats P. and licensed and distributed under GPL -- yes, its Open Source.
It’s all there at http://pdd.googlecode.com/. Go Decode!