Example Packet Decodes

Students are expected to know how to decode packets using the packet header chart provided. The chart provides the format for a set of well-known protocols. The packet decodes below may help to check the understanding of how to decode packets from their hexadecimal representation.

There is a simple self-test (with a worked solution) and also a sample copy of the class test (with 2 sample packets of the form that will be used in that class assessment).

Twelve packets are shown from communication between an imaginary remote computer called "client" and a computer known as "server". The client is linked to the server via an Ethernet LAN and a default router (a CISCO router, known as "gateway"). The packets are recorded at the client.

Three activities were recorded:

  1. Exchange of ICMP ECHO messages
  2. TCP connection set-up and clear-down
  3. Transmission of a single UDP packet

The arp cache of the client is also shown below:
client# arp -a
Net to Media Table
Device   IP Address               Mask      Flags   Phys Addr
------ -------------------- --------------- ----- ---------------
hme0   gateway              255.255.255.255       00:e0:f7:26:3f:e9
hme0   client           	 255.255.255.255 SP    08:00:20:86:35:4b
hme0   224.0.0.0            240.0.0.0       SM    01:00:5e:00:00:00

This shows the physical (MAC) address of the default router (gateway) and the physical (MAC) address of the client itself. Although the examples consider only unicast (communication between a pair of nodes), it may be seen that the IP multicast address 224.0.0.0 has also been associated with a multicast Ethernet address - one that has the first bit set on transmission (i.e. the least significant bit of the first byte).


The packet decodes may be viewed by clicking on each of the lines in the following list:

  1   0.00000   client -> vcs.abdn.ac.uk ICMP Echo request
  2   0.00322 server.abdn.ac.uk -> client   ICMP Echo reply
  3  11.92082   client -> server.abdn.ac.uk TELNET C port=36869
  4   0.00220 server.abdn.ac.uk -> client   TELNET R port=36869
  5   0.00005   client -> server.abdn.ac.uk TELNET C port=36869
  6   0.01359   client -> server.abdn.ac.uk TELNET C port=36869
  7   0.04656 server.abdn.ac.uk -> client   TELNET R port=36869
  8   7.07954   client -> server.abdn.ac.uk TELNET C port=36869
  9   0.00193 server.abdn.ac.uk -> client   TELNET R port=36869
 10   1.09704 server.abdn.ac.uk -> client   TELNET R port=36869
 11   0.00007   client -> server.abdn.ac.uk TELNET C port=36869
 12 152.51269   client -> server.abdn.ac.uk UDP D=1087 S=39376 LEN=18