Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

interpret or decode this

Status
Not open for further replies.

winston6071

Programmer
Nov 22, 2000
52
AT
hello, is anyone able to interpret or tell me how to decode this packets

its uninterpreted and therefore i cannot say what was requested from the client.

0000 00 00 0c 07 ac 01 00 1a 4b 7c 06 1a 08 00 45 00 ........K|....E.
0010 00 b8 1c 54 40 00 80 06 2a ac 0a 81 3b 39 0a 81 ...T@...*...;9..
0020 63 05 05 46 04 02 8e 01 df 28 61 44 ef d0 50 18 c..F.....(aD..P.
0030 fd 4f 0a f3 00 00 05 00 00 03 10 00 00 00 90 00 .O..............
0040 20 00 08 00 00 00 44 00 00 00 01 00 4d 00 8f 67 .....D.....M..g
0050 89 aa 3d 24 8a b9 ef cd 3f 51 43 b3 41 a2 e4 5c ..=$....?QC.A..\
0060 b6 9b 27 13 da a4 05 53 77 92 12 b2 2e 9b be 05 ..'....Sw.......
0070 74 ab a1 5a e8 e8 70 1f ce 44 b9 6f 12 7b 83 8f t..Z..p..D.o.{..
0080 4a d4 5d b1 6e 20 b0 cc cd 29 d4 f3 f9 c7 8b 7e J.].n ...).....~
0090 e0 cb 18 66 6e d4 b6 68 fa 8d 26 61 64 ad 44 06 ...fn..h..&ad.D.
00a0 0c 00 78 59 0e 00 77 00 7a 00 ff ff 00 00 b9 5a ..xY..w.z......Z
00b0 b1 f6 fe cf a3 de 4d 40 ad 37 07 bb a0 cc 14 4d ......M@.7.....M
00c0 57 8a 94 cb 86 2c W....,
 
wow, never had to try and decode something this way. Within the sniffer application itself it should have been able to break this down for you better.

But here is a start:
(line 0000)
00 00 0c 07 ac 01 = destination Mac
00 1a 4b 7c 06 1a = source mac
08 00 = type IP

(line 0010)
06 = TCP
0a 81 3b 39 = source IP (10.129.59.57?)
0a 81 63 05 = destination IP (10.129.99.5?)


(line 0020)
05 46 = tcp source port 570?
04 02 = tcp dest port 42?
18 = flags: push ack

Hope this helps. I'm not familiar with ports 42 or 570, if those are decoded correctly.
 
hi lerdalt

my fault :) sorry yes sure the header and stuff is decoded by the sniffer right. But it shows that you are fit ^^

i would need the data from 0040 ---> 8f 67 until 0090 --> 64 ad

the problem is that this seems to be encrypted, so the question is how can i get into it

its a lsa request from a client where it is waiting for around 45 sec from the DC so if i would know what is requested i could solve the problem

another possible way might be to have a debug option at DC level but i think this will become a nightmare, so i keep hoping to decrypt the data somehow

cheers joe
 
I'd suggest open the trace in wireshark, go to that packet, right click, and select "Follow TCP Stream". That might give you a little something more.

 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top