wireshark format

Mar 16, 2012 at 11:15 PM

Amazing job,

 

I loading dump file saved by Wireshark and I wonder which fields (objects) in "Packet" class are equivalent to the fields in Wireshark default view:

  1. Time - (Packet.Timestamp.ToString("yyyy-MM-dd hh:mm:ss.fff")
  2. Source Destination ?
  3. Src Port ?
  4. Destination ?
  5. Des Port ?
  6. Protocol ?
  7. Size (Packet.Length)
  8. Info ?

wireshark screen shot:

 http://upload.wikimedia.org/wikipedia/commons/thumb/0/03/Wireshark_screenshot.png/800px-Wireshark_screenshot.png

Thanks,

Aviram

 

Coordinator
Mar 17, 2012 at 12:29 PM

Hi Aviram,

 

1. Time: in the screenshot it shows time from the beginning of the capture file. What actually is encoded in the capture file is the absolute time (in UTC) and it's indeed encoded in the Timestamp field.

2. Depending on the packet this is usually packet.Ethernet.IpV4.Source.

3. Depending on the packet this is usually packet.Ethernet.IpV4.Transport.SourcePort.

4. Depending on the packet this is usually packet.Ethernet.IpV4.Destination.

5. Depending on the packet this is usually packet.Ethernet.IpV4.Transport.DestinationPort.

6. Protocol isn't really encoded in the packet. It's more of interpretation of the Wireshark and usually doesn't contain all the information. It can usually be deducted by combining:

a. packet.Ethernet.EtherType

b. Assuming (a) is IP - packet.Ethernet.IpV4.Protocol

c. Assuming (b) is TCP or UDP - packet.Ethernet.IpV4.Transport.SourcePort and packet.Ethernet.IpV4.Transport.DestinationPort (usually the minimum of the two).

7. I'm not sure to what size are you referring. packet.Length will give you the total size of the packet in bytes.

8. Like Protocol, this is just a string that combines different values depending on the different protocols values.

 

I hope this helps,

 

Boaz.

Apr 18, 2012 at 4:25 AM

I am in a similar situation as @Avarim in that I am trying to understand how Wireshark is so adept and decoding these packets.

When you say "Depending on the packet", is there any way to know if a packet is Ethernet or IpV4.

The situation I have is that I have a pcap file captured by Wireshark that opens in Wireshark and populates these fields fine but when I try to use the @brickner-recommended fields they don't match. 

When I look at the packet.DataLink property, it comes out with "RAW (Raw IP)", which makes sense when I try to manually parse it as a IpV4 packet.  When I look at the packet.Ethernet.IpV4.IsValid property though, it is false.  I'm guessing that I shouldn't be looking at the Ethernet property because the docs say "Takes the entire packet as an Ethernet datagram" when what I really want is to take the entire packet as an IPv4 packet.

Any ideas?

Coordinator
Apr 18, 2012 at 9:21 PM

Hi brianestey17,

 

I'm not sure what you mean by Ethernet or IPv4. Usually, an IPv4 packet would be over some data link layer like Ethernet.

 

Can you perhaps give a link to the pcap file so I can take a look and see what you mean?

 

Boaz.

Apr 19, 2012 at 3:33 AM

@brickner,

I've posted a sample file to here

Take a look and you'll see that each packet is a "RAW (Raw IP)" packet. 

Coordinator
Apr 20, 2012 at 12:25 AM
Edited Apr 20, 2012 at 12:26 AM

Hi brianestey17,

 

Thanks for posting the file.

I've just submitted a Change Set (66877) that adds support for such packets.

You're the first person who asked for that, and luckily the design made it very easy to add.

 

The support will be available in the next version of Pcap.Net.

If you don't want to wait, you can download the sources and build them by following the Pcap.Net developer's guide.

 

I hope this helps,

 

Boaz.

Apr 20, 2012 at 3:10 AM
Edited Apr 20, 2012 at 3:45 AM

Suh-weeeet!  Thanks a lot!  I'll grab the source and check it out. 

[EDIT] Just an update - I tested it out and it works perfectly.  Thanks again, brickner.