TCP\IP Packet Signature - how to identify such data packets?

I know of a program that can "carve" (look for) TCP IP Packets from raw binary data. The results it presents are the source and destination MAC addresses, the source and destination IP addresses and a few other bits and pieces (port numbers etc).

I'm curious to know what bits of data act as a signature\flag to identify such data amidst a mass of other binary data? The example below is one of my own IP packets from a test. First 6 bytes = Destination MAC address. Next 6 bytes, Source MAC address. 0800 is some kind of marker that I now forget. 45 AB F7 25 is one IP address, C0 A8 6F A0 one of my internal IP addresses etc.

But there's nothing before it or after it to say "Hey - this is TCP IP data". And there are hundreds of other similar examples. So how has the software found it and the others when the starting data is simply a MAC address - not something that you can easily code a program to look for (which is what I want to do myself)?

Any thoughts?

Offset       0  1  2  3  4  5  6  7   8  9 10 11 12 13 14 15

000000000   00 0C 29 31 24 41 00 50  56 ED A5 46 08 00 45 00     )1$A PVí¥F  E 
000000016   00 28 C0 A8 00 00 80 06  0D 0E 45 AB F7 25 C0 A8    (À¨  €   E«÷%À¨
000000032   6F A0 01 BB 06 AF 7C 3E  0B 51 35 87 6B 87 50 10   o  » ¯|> Q5‡k‡P 
000000048   FA F0 16 C2 00 00 00 00  00 00 00 00 00 00 00 00   úð Â            
000000064   FD 0C AC 83 FB 0A B0 41  B3 B3 F8 71 88 1F 4C 8C   ý ¬ƒû °A³³øqˆ LŒ

Gizmo_the_Great

Posted 2013-04-03T21:50:39.007

Reputation: 493

are you looking for initialization vectors? – None – 2013-04-03T22:21:40.730

If by initialization vectors, you mean the cryptographic kind, then no. I'm basically looking for a magic marker\signature for these data packets. – Gizmo_the_Great – 2013-04-03T22:24:28.390

Are you asking how the program "knows" the MAC address to look for? The NIC presents its MAC address to the system; the program likely reads this and then displays related packets. – Rain – 2013-04-03T22:44:59.767

Answers

My suggestion, download and capture some data with Wireshark. Make sure you have the packet list, packet details and packet bytes view options enabled and start click on packets. in the packet detail section, you can click on the L2, L3, and L4 sections of the packet and it will highlight the bytes that correlate to whatever you have selected.

Then start by doing some searching online to learn about ethernet headers/encapsulation, IP headers, TCP headers and the like. Wikipedia is often a good jumping off point for topics like this but there are hundreds of resources online. I did a quick search looking for an image that represents how the ethernet frame is ultimately built and found this one that is pretty good: http://www.tcpipguide.com/free/t_IPDatagramEncapsulation.htm

Haven't read the content, but between resources like that and starting to play with the parts of the frame in a tool like Wireshark, you will find there is a definite structure to the binary data and it becomes fairly easy to tell apart.

YLearn

Posted 2013-04-03T21:50:39.007

Reputation: 1 741

From the bit of "raw binary data" it does seem like it was captured with Wireshark. – Darius – 2013-04-03T22:55:20.427

Clearly, and I didn't say to use his existing data with Wireshark, however if the OP wants to learn how to read the raw data, they need to start somewhere. Wireshark is a great tool to start learning this and to see how the parts are put together. – YLearn – 2013-04-03T23:23:33.570

Agreed... Wireshark is very good tool. I wish I knew it better :) – Darius – 2013-04-03T23:25:46.910

Thanks. I have already read the various papers on TCP\IP packet strcuture and I am familiar with the hex breakdown, as stated above. What I need to know is how these packets can be "spotted" amidst raw captured data when you don't know in advance the MAC addresses, the IP addresses etc. It is obviously possible as it is done by the software used to present that hex shot above. I want to work out how they do it. – Gizmo_the_Great – 2013-04-04T15:04:34.800

To answer what you are asking, you need to get down to the mechanics of L1 signalling and this is different for each L1 medium. Once you get to L2, a frame is a frame. For example, it doesn't matter to L2 Ethernet if the L1 medium was fiber or copper or RF, as long as when it puts sends a frame down to L1 that the L1 on the other side delivers a frame to L2. Network traffic is not just random binary data, it is very structured binary data. – YLearn – 2013-04-04T16:37:37.227

Bytes 13,14,15 are the IPv4 or IPv6 markers. In your screenshot provided, it's 00 45 00, so you have an IPv4 packet.

For IPv4 Packet, you look at the 23rd Byte. It's 06, so you have TCP packet. If its 11, you have a UDP packet.

For IPv6 packet, its the 20th byte.

Benny

Posted 2013-04-03T21:50:39.007

Reputation: 1