The longer patterns you are able to check, the higher the chance that you can determine the frame beginnings properly. This is an ARP request sent by your interface, These are ARP request sent to your interface, (any six bytes):mm:mm:mm:mm:mm:mm:08:06(any 14 bytes):ii:ii:ii:ii This is the beginning of an IPv4 packet sent to a broadcast address of your interface, ff:ff:ff:ff:ff:ff:(any six bytes):08:06:(any 24 bytes):ii:ii:ii:ii This is the beginning of an IPv4 packet sent to the individual address of your interface, ff:ff:ff:ff:ff:ff:(any six bytes):08:00:(any 16 bytes):bb:bb:bb:bb This is the beginning of an IPv4 packet sent by your interface, So you would look for the following patterns in the data ( mm:mm:mm:mm:mm:mm is your interface's MAC address, ii:ii:ii:ii is your interface's IPv4 address, and bb:bb:bb:bb is your interface subnet's broadcast address): If there are just raw frames, and all of them contain IP packets, you should be able to recognize frame boundaries by looking for the MAC address and IP address of the interface (which you should know) and one of two Ethertype values.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |