[size=medium]The purpose of this topic is to partially decode a ICMP Echo or "Ping" packet as it appears on an Ethernet network.
[b]Packet Representation On The Network[/b]
The following is a HEX dump of a simple ICMP echo or "ping" packet:
000000: 00 A0 CC 63 08 1B 00 40 : 95 49 03 5F 08 00 45 00 ...c...@.I._..E.
000010: 00 3C 82 47 00 00 20 01 : 94 C9 C0 A8 01 20 C0 A8 .<.G.. ...... ..
000020: 01 40 08 00 48 5C 01 00 : 04 00 61 62 63 64 65 66 .@..H\....abcdef
000030: 67 68 69 6A 6B 6C 6D 6E : 6F 70 71 72 73 74 75 76 ghijklmnopqrstuv
000040: 77 61 62 63 64 65 66 67 : 68 69 wabcdefghi......
The ping was initiated with the command:
C:> ping 192.168.1.64
and sent the ICMP echo request with the default of 32 bytes of data. The total length of the ping packet is 74 bytes.
The packet can be broken into the following protocol elements:
Ethernet Header
IP Datagram
[list]
[*] IP Header
[*] IP Data
[/list]
[b]Ethernet Header[/b]
The network media is Ethernet. This means that the first 14 bytes are the Ethernet Header:
000000: [color=red]00 A0 CC 63 08 1B 00 40 : 95 49 03 5F 08 00 [/color]45 00 ...c...@.I._..E.
000010: 00 3C 82 47 00 00 20 01 : 94 C9 C0 A8 01 20 C0 A8 .<.G.. ...... ..
000020: 01 40 08 00 48 5C 01 00 : 04 00 61 62 63 64 65 66 .@..H\....abcdef
000030: 67 68 69 6A 6B 6C 6D 6E : 6F 70 71 72 73 74 75 76 ghijklmnopqrstuv
000040: 77 61 62 63 64 65 66 67 : 68 69 wabcdefghi......
The 14 byte Ethernet Header includes three fields:
MAC Destination Address (0-5, 6 bytes) - 00-A0-CC-63-08-1B
MAC Source Address (6-11, 6 bytes) - 00-40-95-49-03-5F
Ethernet Type Field (12-13, 2 bytes) - 0x0800 (IP Datagram)
[b]IP Datagram[/b]
The remaining 60 bytes (14-73) constitute the IP datagram itself:
000000: 00 A0 CC 63 08 1B 00 40 : 95 49 03 5F 08 [color=blue]00 45 00[/color] ...c...@.I._..E.
000010: [color=blue]00 3C 82 47 00 00 20 01 : 94 C9 C0 A8 01 20 C0 A8[/color] .<.G.. ...... ..
000020: [color=blue]01 40 08 00 48 5C 01 00 : 04 00 61 62 63 64 65 66[/color] .@..H\....abcdef
000030: [color=blue]67 68 69 6A 6B 6C 6D 6E : 6F 70 71 72 73 74 75 76 [/color]ghijklmnopqrstuv
000040: [color=blue]77 61 62 63 64 65 66 67 : 68 69[/color] wabcdefghi......
[b]IP Header[/b]
The IP datagram begins at byte 14, which means that the IP Header also starts at byte 14. The 0x45 value found there in interpreted to mean that the packet is an IPv4 packet and the IP Header length is five(5) 32-bit words (14-33):
000000: 00 A0 CC 63 08 1B 00 40 : 95 49 03 5F 08 00 [color=indigo]45 00[/color] ...c...@.I._..E.
000010: [color=indigo]00 3C 82 47 00 00 20 01 : 94 C9 C0 A8 01 20 C0 A8 [/color].<.G.. ...... ..
000020: [color=indigo]01 40 [/color]08 00 48 5C 01 00 : 04 00 61 62 63 64 65 66 .@..H\....abcdef
000030: 67 68 69 6A 6B 6C 6D 6E : 6F 70 71 72 73 74 75 76 ghijklmnopqrstuv
000040: 77 61 62 63 64 65 66 67 : 68 69 wabcdefghi......
Here are decodes of a few key fields:
IP Version (14, high nibble) - IPv4
IP Header Length (14, low nibble) - Five (5) 32-bit Words
Source IP Address (26-29, 4 bytes) - 192.168.1.32 (C0.A8.01.20)
Destination IP Address (30-33, 4 bytes) - 192.168.1.64 (C0.A8.01.40)
[b]IP Data[/b]
Forty (40) bytes of IP Data follow the IP Header (34-73):
000000: 00 A0 CC 63 08 1B 00 40 : 95 49 03 5F 08 00 45 00 ...c...@.I._..E.
000010: 00 3C 82 47 00 00 20 01 : 94 C9 C0 A8 01 20 C0 A8 .<.G.. ...... ..
000020: 01 40 [color=brown]08 00 48 5C 01 00 : 04 00 61 62 63 64 65 66[/color] .@..H\....abcdef
000030: [color=brown]67 68 69 6A 6B 6C 6D 6E : 6F 70 71 72 73 74 75 76 [/color]ghijklmnopqrstuv
000040: [color=brown]77 61 62 63 64 65 66 67 : 68 69 [/color]wabcdefghi......
Of course, the IP Data in this case is, in fact, an ICMP Echo Request, including thirty-two (32) bytes of Echo Data (42-73).[/size]
[b]Packet Representation On The Network[/b]
The following is a HEX dump of a simple ICMP echo or "ping" packet:
000000: 00 A0 CC 63 08 1B 00 40 : 95 49 03 5F 08 00 45 00 ...c...@.I._..E.
000010: 00 3C 82 47 00 00 20 01 : 94 C9 C0 A8 01 20 C0 A8 .<.G.. ...... ..
000020: 01 40 08 00 48 5C 01 00 : 04 00 61 62 63 64 65 66 .@..H\....abcdef
000030: 67 68 69 6A 6B 6C 6D 6E : 6F 70 71 72 73 74 75 76 ghijklmnopqrstuv
000040: 77 61 62 63 64 65 66 67 : 68 69 wabcdefghi......
The ping was initiated with the command:
C:> ping 192.168.1.64
and sent the ICMP echo request with the default of 32 bytes of data. The total length of the ping packet is 74 bytes.
The packet can be broken into the following protocol elements:
Ethernet Header
IP Datagram
[list]
[*] IP Header
[*] IP Data
[/list]
[b]Ethernet Header[/b]
The network media is Ethernet. This means that the first 14 bytes are the Ethernet Header:
000000: [color=red]00 A0 CC 63 08 1B 00 40 : 95 49 03 5F 08 00 [/color]45 00 ...c...@.I._..E.
000010: 00 3C 82 47 00 00 20 01 : 94 C9 C0 A8 01 20 C0 A8 .<.G.. ...... ..
000020: 01 40 08 00 48 5C 01 00 : 04 00 61 62 63 64 65 66 .@..H\....abcdef
000030: 67 68 69 6A 6B 6C 6D 6E : 6F 70 71 72 73 74 75 76 ghijklmnopqrstuv
000040: 77 61 62 63 64 65 66 67 : 68 69 wabcdefghi......
The 14 byte Ethernet Header includes three fields:
MAC Destination Address (0-5, 6 bytes) - 00-A0-CC-63-08-1B
MAC Source Address (6-11, 6 bytes) - 00-40-95-49-03-5F
Ethernet Type Field (12-13, 2 bytes) - 0x0800 (IP Datagram)
[b]IP Datagram[/b]
The remaining 60 bytes (14-73) constitute the IP datagram itself:
000000: 00 A0 CC 63 08 1B 00 40 : 95 49 03 5F 08 [color=blue]00 45 00[/color] ...c...@.I._..E.
000010: [color=blue]00 3C 82 47 00 00 20 01 : 94 C9 C0 A8 01 20 C0 A8[/color] .<.G.. ...... ..
000020: [color=blue]01 40 08 00 48 5C 01 00 : 04 00 61 62 63 64 65 66[/color] .@..H\....abcdef
000030: [color=blue]67 68 69 6A 6B 6C 6D 6E : 6F 70 71 72 73 74 75 76 [/color]ghijklmnopqrstuv
000040: [color=blue]77 61 62 63 64 65 66 67 : 68 69[/color] wabcdefghi......
[b]IP Header[/b]
The IP datagram begins at byte 14, which means that the IP Header also starts at byte 14. The 0x45 value found there in interpreted to mean that the packet is an IPv4 packet and the IP Header length is five(5) 32-bit words (14-33):
000000: 00 A0 CC 63 08 1B 00 40 : 95 49 03 5F 08 00 [color=indigo]45 00[/color] ...c...@.I._..E.
000010: [color=indigo]00 3C 82 47 00 00 20 01 : 94 C9 C0 A8 01 20 C0 A8 [/color].<.G.. ...... ..
000020: [color=indigo]01 40 [/color]08 00 48 5C 01 00 : 04 00 61 62 63 64 65 66 .@..H\....abcdef
000030: 67 68 69 6A 6B 6C 6D 6E : 6F 70 71 72 73 74 75 76 ghijklmnopqrstuv
000040: 77 61 62 63 64 65 66 67 : 68 69 wabcdefghi......
Here are decodes of a few key fields:
IP Version (14, high nibble) - IPv4
IP Header Length (14, low nibble) - Five (5) 32-bit Words
Source IP Address (26-29, 4 bytes) - 192.168.1.32 (C0.A8.01.20)
Destination IP Address (30-33, 4 bytes) - 192.168.1.64 (C0.A8.01.40)
[b]IP Data[/b]
Forty (40) bytes of IP Data follow the IP Header (34-73):
000000: 00 A0 CC 63 08 1B 00 40 : 95 49 03 5F 08 00 45 00 ...c...@.I._..E.
000010: 00 3C 82 47 00 00 20 01 : 94 C9 C0 A8 01 20 C0 A8 .<.G.. ...... ..
000020: 01 40 [color=brown]08 00 48 5C 01 00 : 04 00 61 62 63 64 65 66[/color] .@..H\....abcdef
000030: [color=brown]67 68 69 6A 6B 6C 6D 6E : 6F 70 71 72 73 74 75 76 [/color]ghijklmnopqrstuv
000040: [color=brown]77 61 62 63 64 65 66 67 : 68 69 [/color]wabcdefghi......
Of course, the IP Data in this case is, in fact, an ICMP Echo Request, including thirty-two (32) bytes of Echo Data (42-73).[/size]
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
