TCP\IP Packet Signature - how to identify such data packets?
My suggestion, download and capture some data with Wireshark. Make sure you have the packet list, packet details and packet bytes view options enabled and start click on packets. in the packet detail section, you can click on the L2, L3, and L4 sections of the packet and it will highlight the bytes that correlate to whatever you have selected.
Then start by doing some searching online to learn about ethernet headers/encapsulation, IP headers, TCP headers and the like. Wikipedia is often a good jumping off point for topics like this but there are hundreds of resources online. I did a quick search looking for an image that represents how the ethernet frame is ultimately built and found this one that is pretty good: http://www.tcpipguide.com/free/t_IPDatagramEncapsulation.htm
Haven't read the content, but between resources like that and starting to play with the parts of the frame in a tool like Wireshark, you will find there is a definite structure to the binary data and it becomes fairly easy to tell apart.
Related videos on Youtube
06 : 26
14 : 39
11 : 47
07 : 14
33 : 51
Gizmo_the_Great
Wannabe programmer, developing using Free Pascal (FPC) and Lazarus IDE
Updated on September 18, 2022Comments
-
Gizmo_the_Great over 1 year
I know of a program that can "carve" (look for) TCP IP Packets from raw binary data. The results it presents are the source and destination MAC addresses, the source and destination IP addresses and a few other bits and pieces (port numbers etc).
I'm curious to know what bits of data act as a signature\flag to identify such data amidst a mass of other binary data? The example below is one of my own IP packets from a test. First 6 bytes = Destination MAC address. Next 6 bytes, Source MAC address. 0800 is some kind of marker that I now forget. 45 AB F7 25 is one IP address, C0 A8 6F A0 one of my internal IP addresses etc.
But there's nothing before it or after it to say "Hey - this is TCP IP data". And there are hundreds of other similar examples. So how has the software found it and the others when the starting data is simply a MAC address - not something that you can easily code a program to look for (which is what I want to do myself)?
Any thoughts?
Offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 000000000 00 0C 29 31 24 41 00 50 56 ED A5 46 08 00 45 00 )1$A PVí¥F E 000000016 00 28 C0 A8 00 00 80 06 0D 0E 45 AB F7 25 C0 A8 (À¨ € E«÷%À¨ 000000032 6F A0 01 BB 06 AF 7C 3E 0B 51 35 87 6B 87 50 10 o » ¯|> Q5‡k‡P 000000048 FA F0 16 C2 00 00 00 00 00 00 00 00 00 00 00 00 úð  000000064 FD 0C AC 83 FB 0A B0 41 B3 B3 F8 71 88 1F 4C 8C ý ¬ƒû °A³³øqˆ LŒ-
Admin about 11 yearsare you looking for initialization vectors? -
Gizmo_the_Great about 11 yearsIf by initialization vectors, you mean the cryptographic kind, then no. I'm basically looking for a magic marker\signature for these data packets.
-
-
Darius about 11 yearsFrom the bit of "raw binary data" it does seem like it was captured with Wireshark.
-
Darius about 11 yearsAgreed... Wireshark is very good tool. I wish I knew it better :)
-
Gizmo_the_Great about 11 yearsThanks. I have already read the various papers on TCP\IP packet strcuture and I am familiar with the hex breakdown, as stated above. What I need to know is how these packets can be "spotted" amidst raw captured data when you don't know in advance the MAC addresses, the IP addresses etc. It is obviously possible as it is done by the software used to present that hex shot above. I want to work out how they do it.
-
YLearn about 11 yearsTo answer what you are asking, you need to get down to the mechanics of L1 signalling and this is different for each L1 medium. Once you get to L2, a frame is a frame. For example, it doesn't matter to L2 Ethernet if the L1 medium was fiber or copper or RF, as long as when it puts sends a frame down to L1 that the L1 on the other side delivers a frame to L2. Network traffic is not just random binary data, it is very structured binary data.
