1
I know of a program that can "carve" (look for) TCP IP Packets from raw binary data. The results it presents are the source and destination MAC addresses, the source and destination IP addresses and a few other bits and pieces (port numbers etc).
I'm curious to know what bits of data act as a signature\flag to identify such data amidst a mass of other binary data? The example below is one of my own IP packets from a test. First 6 bytes = Destination MAC address. Next 6 bytes, Source MAC address. 0800 is some kind of marker that I now forget. 45 AB F7 25 is one IP address, C0 A8 6F A0 one of my internal IP addresses etc.
But there's nothing before it or after it to say "Hey - this is TCP IP data". And there are hundreds of other similar examples. So how has the software found it and the others when the starting data is simply a MAC address - not something that you can easily code a program to look for (which is what I want to do myself)?
Any thoughts?
Offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
000000000 00 0C 29 31 24 41 00 50 56 ED A5 46 08 00 45 00 )1$A PVí¥F E
000000016 00 28 C0 A8 00 00 80 06 0D 0E 45 AB F7 25 C0 A8 (À¨ € E«÷%À¨
000000032 6F A0 01 BB 06 AF 7C 3E 0B 51 35 87 6B 87 50 10 o » ¯|> Q5‡k‡P
000000048 FA F0 16 C2 00 00 00 00 00 00 00 00 00 00 00 00 úð Â
000000064 FD 0C AC 83 FB 0A B0 41 B3 B3 F8 71 88 1F 4C 8C ý ¬ƒû °A³³øqˆ LŒ
are you looking for initialization vectors? – None – 2013-04-03T22:21:40.730
If by initialization vectors, you mean the cryptographic kind, then no. I'm basically looking for a magic marker\signature for these data packets. – Gizmo_the_Great – 2013-04-03T22:24:28.390
Are you asking how the program "knows" the MAC address to look for? The NIC presents its MAC address to the system; the program likely reads this and then displays related packets. – Rain – 2013-04-03T22:44:59.767