Ethereal-users: Re: [ethereal-users] Decoding packets

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <gharris@xxxxxxxxxxxx>
Date: Mon, 3 Jul 2000 18:01:39 -0700
On Mon, Jul 03, 2000 at 07:00:51PM -0500, tarun@xxxxxxxxxxxxx wrote:
> Hi I am a new Ethreal user and am no guru in networking.
> I'd like to know how one goes about associating a packet to the
> application that is sending it?

By finding out what characteristics identify packets from the
applications in question application (TCP or UDP port number, for
example) and checking which of those characteristics a packet has.

(I.e., there's no magic automatic mechanism for doing that.  One can
guess that a packet to or from port 80, for example, is probably coming
from a Web browser, and if you see the initial packets of the HTTP
request, you may even be able to tell which browser it is - but there's
no guarantee it's coming from a conventional browser; it might be coming
from good old "Telnet to port 80", or it might be coming from a
transparent Web proxy machine using 80 as its outgoing port, for
example.)

> and how do I get the actual data size of a packet.

"Actual" in what sense?

You can find out how much data is getting sent over the wire by looking
at, for example, the first line of the protocol tree view, although the
"XXX on wire" part includes padding, so you might want to look at the
"Total Length" part of the IP header instead (and, if relevant, add in
the headers above it).

However, if the data is compressed, the only way to find out how much
data was handed to the compression code would be to uncompress it
(unless the compression format on the wire contains that data in some
fashion), and if the data is encrypted, the only way to find out how
much data was handed to the encryption could would be to decrypt it
(unless the encryption format on the wire contains that data in some
fashion).

> What I am trying to do is to measure the overhead a encryption like SSL
> puts on a file say 10KB.
> 
> 10KB File--->SSL encryption program--> Ethreal --->network
>                                           ^
>                                           trying to find how much that
>                                           10KB file has become 10KB+??
>                                           so i capture the packets of
>                                           the encryption program and
>                                           calculate the total size of 
>                                           the encrypted file.

As per the above, that's probably going to be hard.  If the encryption
turns N bytes into M bytes, where N != M, you may have to decrypt the
data to find out how much N is, unless the SSL packet format on the wire
includes the value of N.