Introduction to Data Communications
Previous 36i. Packet Sniffing Next

36i. Packet Sniffing

A packet sniffer captures packets from the Ethernet bus. The network interface card (NIC) acts in a mode called promiscious mode. Promiscious mode means that the NIC can look at all traffic on the wire and not just to traffic addressed to itself. Normally, the NIC ignores all traffic except for packets addressed to itself, multicasts and broadcast packets.

The following captured packet is displayed in raw format. Raw format is hexadecimal numbers in rows of 16 digits.


FF  FF  FF  FF  FF  FF  00  20  AF  10  9A  C0  00  25  E0  E0

03  FF  FF  00  22  00  11  00  00  00  00  FF  FF  FF 	FF  FF

FF  04  52  00  00  00  00  00  20  AF  10  9A  C0  40  0B  00

01  00  04  00  00  00  00  00  00  00  00  00

Raw Captured Packet

Raw captured packets do not display the Preamble, Start Frame Delimiter and the Frame Check Sequence fields. These fields are used to inform the receiving station of a new frame and for error checking.

The breakdown of the packet is according to the Ethernet MAC frame and as follows:

1st 6 bytes:FF-FF-FF-FF-FF-FFDestination MAC address
2nd 6 bytes:00-20-AF-10-9A-C0 Source MAC address
Next 2 bytes:0025Length/Type field - IEEE 802.3 frame
Next 37 bytesData
Last 9 bytesall 00sPad

The length of the data in the Info field is 0025h or 37 bytes long. The minimum Info field size is 46 bytes so the data is padded with 9 bytes of 00h.

The Length/Type field value is less than 05DCh (1500 in decimal) which indicates that it is an Ethernet_802.2 frame (IEEE 802.3) with a Logical Link Control layer (covered later) between the MAC layer and the Network layer.

If the value was 0800h, it would indicate an Ethernet_II frame used for TCP/IP.

If it were 8137, it would indicate an Ethernet_802.3 (raw) frame used by pre 3.12 Netware.

The complete listing of the Length/Type field assignments is covered in Appendix C Ethernet Type Field.

Looking at the MAC block diagram, the data from the Info field is shown broken down (up to be more exact) into the higher levels: Logical Link Control layer, Network layer and the Transport layer. Note: A thorough knowledge of each of the layers and quite a few handy reference books are required in order to determine exactly what is happening. The remaining layers will be examined as an example only.

NOTE: Modern packet sniffer will break down the raw packet's fields for you.


Introduction to Data Communications
Previous Table of Contents Next