I'm learning to read network packets in binary format, capturing with windump in Win XP, and viewing with 010 Editor. Having studied the tcpdump man page, I'm using this ...
windump -e -f -n -c 1 -i 4 -s 0 -w capture.bin
For example, I randomly captured a 62 byte SYN packet to a disk array. I've managed to decode all 62 bytes in the actual packet (ethernet, IPv4 and TCP layers). However, I just don't get how to interpret the 40 byte prefix that windump apparently added (which I am calling the record header). I know that it must include a timestamp. Anyway, the first 40 bytes are ...
0xD4 0xC3 0xB2 0xA1 0x02 0x00 0x04 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0xFF 0xFF 0x00 0x00
0x01 0x00 0x00 0x00 0x28 0xA2 0xCE 0x4B 0xA6 0x7A
0x0B 0x00 0x3E 0x00 0x00 0x00 0x3E 0x00 0x00 0x00
How do I determine the byte by byte meaning of that?
windump -e -f -n -c 1 -i 4 -s 0 -w capture.bin
For example, I randomly captured a 62 byte SYN packet to a disk array. I've managed to decode all 62 bytes in the actual packet (ethernet, IPv4 and TCP layers). However, I just don't get how to interpret the 40 byte prefix that windump apparently added (which I am calling the record header). I know that it must include a timestamp. Anyway, the first 40 bytes are ...
0xD4 0xC3 0xB2 0xA1 0x02 0x00 0x04 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0xFF 0xFF 0x00 0x00
0x01 0x00 0x00 0x00 0x28 0xA2 0xCE 0x4B 0xA6 0x7A
0x0B 0x00 0x3E 0x00 0x00 0x00 0x3E 0x00 0x00 0x00
How do I determine the byte by byte meaning of that?
