Wireshark-users: Re: [Wireshark-users] Packet Analysis captured by Wireshark

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 15 Apr 2009 10:24:45 -0700

On Apr 15, 2009, at 3:47 AM, Revathi Rangachari wrote:

How to analyze the packets captured by wireshark.  Capture outputs
certain set of data in bytes, but how to decipher the captured data?

I believe there's a program called "Wireshark" that can read a capture file from Wireshark and dissect the captured data. :-)

A sample data is given below:

0000 17 03 01 00 31 63 2e 9f 05 9f de 92 60 2d 85 8f .... 1c......`-.. 0010 db e6 29 46 dd 23 b3 c5 43 f5 9a 77 ce 03 66 6e ..)F.#..C..w..fn 0020 c7 d0 ad 4a d7 da e1 20 cc 5e 6f 02 eb 28 16 42 ...J... .^o.. (.B
0030  c3 ae d0 bb cf 09

The guide says that this data is in bytes. How to make this data meaningful?

Look at the middle pane in the Wireshark window, rather than the bottommost pane. If Wireshark doesn't display a detailed dissection in the middle pane, either it doesn't understand one or more of the protocols in the packet (in which case, to make it meaningful, somebody would have to contribute dissectors for those protocols), or it doesn't recognize that those are the protocols (in which case, to make it meaningful, Wireshark might have to be explicitly told, e.g. through the "Decode As" menu option, that those are the protocols, or the dissectors might have to be changed to try to "heuristically" recognize packets), or the data is encrypted and Wireshark isn't decrypting it (in which case, either Wireshark will have to have code added to it to decrypt the packets, or you'll have to supply the information needed to decrypt it).