Sniffing Ethernet - First Example

November 17th 2002

Thierry Coulbois



Using windump (a program for Windows equivalent to TCPDump for Unix) we can view the frames coming on an ethernet interface. This software allows us to put our EtherCard in promisucous mode. I used it on my Windows 98 in my office at university during a telnet session with my computer in Paris to show you to frames. Here is the out put (use the mouse to view output comments):

DOS>windump -i 2 -x -X -c 2 -e
   
This MSDOS command generates the following output.
-i 2: select the correct EtherCard
-x -X: show the hexadecimal content of the frame and the corresponding ASCII chars.
-c 2: Dump only the two first frames.
-e: show the Frame datas.
 
15:20:11.500361 0:60:67:1:be:53 0:50:da:4f:13:3d ip 55: 
THIERRYC.1053 > godel.logique.jussieu.fr.23: P [tcp sum ok] 
3601068:3601069(1) ack 2042855910 win 7742 (DF) (ttl 128, id 43010, len 41)
0x0000	 4500 0029 a802 4000 8006 eb19 c0a8 0d6c	E..)..@........l
0x0010	 869d 1301 041d 0017 0036 f2ac 79c3 81e6	.........6..y...
0x0020	 5018 1e3e cb19 0000 6c                 	P..>....l
15:20:11.500361 TimeStamp (15h 20min 11s and 500361 microseconds)
0:60:67:1:be:53 The Ether Address of my computer in Al-Quds
0:50:da:4f:13:3d The Ether Address of the Proxy
ip Protocole encapsulated in the Ethernet Frame
55 length of the frame (in bytes)
THIERRYC.1053 Name and port of the source (IP and TCP)
godel.logique.jussieu.fr.23 Name and port of the Destination (IP and TCP)
3601068:3601069(1) ack 2042855910 win 7742 TCP Header Datas
(DF) (ttl 128, id 43010, len 41) IP Header datas
4 IP version: 4
5 IP Header Length: 5*32 bits
00 IP Type Of Service
00 29 IP Total length: 41 bytes
a8 02 IP Identification number
010 (3 bits)IP flags : Don't Fragment
 		0 0000 00000000 (13 bits) IP Offset 0*8 bytes
80 IP Time To Live
06 IP encapsulated protocole: TCP
eb19 IP Header Check Sum
c0a8 0d6c IP source address: 192.168.13.108
869d 1301 IP destination address: 134.156.19.1
041d TCP source port: 1053
0017 TCP destination port: 23 (Telnet)
0036 f2ac TCP Sequence number: 3601068 bytes
79c3 81e6 TCP Ack number: 2042855910 bytes
5 TCP Header Length: 5*32bits
011000 (6 bits) TCP flags: ACK and PSH
1e3e TCP Window Size: 7742 bytes
cb19 TCP Header Check Sum
0000 TCP Urgent Pointer
6c TCP Datas: ASCII character "l"
 
15:20:11.624869 0:50:da:4f:13:3d 0:60:67:1:be:53 ip 60: 
godel.logique.jussieu.fr.23 > THIERRYC.1053: P [tcp sum ok] 
1:2(1) ack 1 win 32120 (DF) (ttl 43, id 33523, len 41)
0x0000	 4500 0029 82f3 4000 2b06 6529 869d 1301	E..)..@.+.e)....
0x0010	 c0a8 0d6c 0017 041d 79c3 81e6 0036 f2ad	...l....y....6..
0x0020	 5018 7d78 6bde 0000 6c00 0000 0000     	P.}xk...l.....