Information about the wireshark payload


#1

Can anyone tell me what information is on the right hand side of wireshark payload.


#2

This is a classical hexa dump display.

It displays the content of the packet.

1st number (on 4 hexa digits) is the offset of the 1st byte of the line from the beginning of the packet.

Then the hexa value of the 16 bytes (each byte displayed by a 2 hexa digit number).

Then the ascii character value of the SAME 16 bytes.
Displays a . if the character is not printable.

Then the next line.
Since there was 16 bytes displayed on the previous line,
the offset is increment of 16 (= 0x10).

In your example :

  • 4th byte of 1st line = 32 (hexa) = 3*16 + 2 = 50 (decimal) = “2” (ascii character)
  • 5th byte of 1st line = 41 (hexa) = 4*16 + 1 = 65 (decimal) = “A” (ascii character)
  • 6th byte of 1st line = 8c (hexa) = 4*16 + 1 = 140 (decimal) = “.” because not printable character

#3

hi there,
thankx for your response… one question again… does such offset has any significance ??? and why does wireshark shows such offset??

Another query of mine

constructing any packets as such from “traffic generator” like “Smartbits 6000B”, does simply copying and paste the value of “Hex” on left hand side of my example able to fulfill any condition:

Condition might be: Detection of some protocols from filter like L7 (in linux) applying some regular expression rules.

Regular Expression rule: ^220\x09-\x0d -~]*ftp

This packets are verified when i run L7 filter too (as it displays a message that its of “ftp” packets).

So, is there any difference b/w the real traffic and the captured Wireshark traffic, so that if i generate such traffic (captured from wireshark) by looking at the hex values and copy and paste to any traffic generator to create traffic as such, so that it will be detected as “ftp” packets???

The files are attached for both Spirent 6000B smartbits and Wireshark capture for that ftp traffic…