Wireshark · Ethereal-users: Re: [ethereal-users] Decoding packets

Ethereal-users: Re: [ethereal-users] Decoding packets

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date: Tue, 4 Jul 2000 07:45:59 -0500 (CDT)

Hi Guy,

Thanx for the clarifications.. when I say "Actual size" of packets... I am
trying to capture the data in packets , stripped of header and other
information..

when I say....

10KB File--->SSL encryption program--> Ethreal --->network
> >                                           ^
> >                                           trying to find how much that
> >                                           10KB file has become 10KB+??
> >                                           so i capture the packets of
> >                                           the encryption program and
> >                                           calculate the total size of
> >                                           the encrypted file.          


considering there is no other compression going on in betwen the
encryption program and the network..... if i get all the packets that
the SSL encryption program is sending ...I can add the data in all the
packets (excluding all header etc) and come up with the size of the
encrypted file.....(in encrypted form itself) 


now if i compare the sizes of this ecrypted file ( the
size got from adding the data in all the packets concerning the SSL
encryption application)

and the size of the unencrypted file (which i
already have ).... I should get the overhead in size that that SSL
encryption is adding to the file.

this is the methodology i am trying to adopt....for this I need to

1) Associate each packet I sniff to the application
2) get the actual data from each packet so that I can add the data
in the packets and arrive at the size of the encrypted file.

can you give me a step by step process of doing this? and is this possible
at all?

Thanx so much
Tarun


On Mon, 3 Jul 2000, Guy Harris wrote:

> On Mon, Jul 03, 2000 at 07:00:51PM -0500, tarun@xxxxxxxxxxxxx wrote:
> > Hi I am a new Ethreal user and am no guru in networking.
> > I'd like to know how one goes about associating a packet to the
> > application that is sending it?
> 
> By finding out what characteristics identify packets from the
> applications in question application (TCP or UDP port number, for
> example) and checking which of those characteristics a packet has.
> 
> (I.e., there's no magic automatic mechanism for doing that.  One can
> guess that a packet to or from port 80, for example, is probably coming
> from a Web browser, and if you see the initial packets of the HTTP
> request, you may even be able to tell which browser it is - but there's
> no guarantee it's coming from a conventional browser; it might be coming
> from good old "Telnet to port 80", or it might be coming from a
> transparent Web proxy machine using 80 as its outgoing port, for
> example.)
> 
> > and how do I get the actual data size of a packet.
> 
> "Actual" in what sense?
> 
> You can find out how much data is getting sent over the wire by looking
> at, for example, the first line of the protocol tree view, although the
> "XXX on wire" part includes padding, so you might want to look at the
> "Total Length" part of the IP header instead (and, if relevant, add in
> the headers above it).
> 
> However, if the data is compressed, the only way to find out how much
> data was handed to the compression code would be to uncompress it
> (unless the compression format on the wire contains that data in some
> fashion), and if the data is encrypted, the only way to find out how
> much data was handed to the encryption could would be to decrypt it
> (unless the encryption format on the wire contains that data in some
> fashion).
> 
> > What I am trying to do is to measure the overhead a encryption like SSL
> > puts on a file say 10KB.
> > 
> > 10KB File--->SSL encryption program--> Ethreal --->network
> >                                           ^
> >                                           trying to find how much that
> >                                           10KB file has become 10KB+??
> >                                           so i capture the packets of
> >                                           the encryption program and
> >                                           calculate the total size of 
> >                                           the encrypted file.
> 
> As per the above, that's probably going to be hard.  If the encryption
> turns N bytes into M bytes, where N != M, you may have to decrypt the
> data to find out how much N is, unless the SSL packet format on the wire
> includes the value of N.
> 

Tarun.G.Acharya
3102 dodge Street
Omaha,NE.USA

Follow-Ups:
- Re: [ethereal-users] Decoding packets
  - From: Guy Harris

References:
- Re: [ethereal-users] Decoding packets
  - From: Guy Harris

Prev by Date: RE: [ethereal-users] Win9x problems
Next by Date: [ethereal-users] unsubscribe
Previous by thread: Re: [ethereal-users] Decoding packets
Next by thread: Re: [ethereal-users] Decoding packets
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$