November 2, 2022

BSD TCP/IP for Kyu - using wireshark

Wireshark is an "old friend", but I don't use it often enough to be fluent with it. 
su
wireshark

The first order of business is setting a capture filter so I don't have to see all the packets on even my little home network. The current wireshark (or at least what I am running) is 3.6.8. It offers a tiny green box left of the entry for the capture filter, and this seems to provide a bunch of suggestions -- which is very helpful. I enter: 

host 192.168.0.138
I hit return and then "telnet 192.168.0.138 23" and I get what I want!

Cut and Paste

It has always infuriated me that I cannot just copy and paste the hex contents of a packet out of the wireshark window. I search on this (I can't be the only one?). The advice is to get the result you want in a different way. The tip was to use File -- Print -- Plain text, but the plain text option no longer exists.

Here is what I did and what served my purpose.

Doing this, I get the following: 
00000000 c2c2 9bae f95e c860 0024 ea32 0800 4510
00000010 003c 2228 4000 4006 96a4 c0a8 0005 c0a8
00000020 008a a0ce 0017 a2ba fa4b 0000 0000 a002
00000030 faf0 820e 0000 0204 05b4 0402 080a 7d27
00000040 a7fa 0000 0000 0103 0307
The first 14 bytes are the ethernet header. 
00000000 c2c2 9bae f95e c860 0024 ea32 0800
The next 20 bytes are the IP header 
00000000                                    4510
00000010 003c 2228 4000 4006 96a4 c0a8 0005 c0a8
00000020 008a
The next 20 bytes are the TCP header 
00000020      a0ce 0017 a2ba fa4b 0000 0000 a002
00000030 faf0 820e 0000 0204 05b4 0402 080a 7d27
00000040 a7fa 0000 0000 0103 0307
The value "0017" is 23 (the destination port number)

The last 4 bytes are "0103 0307". What can these be?

Have any comments? Questions? Drop me a line!

Kyu / [email protected]