Hi, I'm trying to read IP packet headers manually from a hex file. From what I understand an IP header has 20 bytes: version, HL, TOS,total length, ID, flag, fragments,ttl, protocol, checksum, source ip and destination IP. In hex that would be something like this (20 bytes - double digits = 1 byte), A1 01 2C 1A being the source IP so the following 4 bytes is the destination ip means the end:

45 00 00 28 20 8F 40 00 80 06 00 00 A1 01 2C 1A BC D6 1D EF

but then i found a few that had more then 20 bytes as in the 20th byte was the last byte of the source IP but that wouldn't make sense coz in the IP stucture, the source IP is followed by destination IP meaning that the header found is 24 bytes instead of 20 bytes, like :

45 00 00 50 43 E8 00 00 40 06 5A DB 36 FB 98 DB A1 01 2C 1A 04 BA A4 D1

what does this mean? why is there extra bytes? even if the "option" field was to be counted in isn't it after destination ip address? Or is it possible for the source and destination address to switch places? meaning that the last 4 bytes is the source ip and the preceding 4 bytes is the destination ip?

*hope i explained things properly

Recommended Answers

All 6 Replies

I put this into https://www.gasmi.net/hpd/ and those addresses look like MAC addresses.

As you learn IP you learn about how packets on a LAN often go from one place to another using this rather than the IP address.
Decode these with tools until you complete your IP lessons.

But, i got that ip from using ipconfig and then converted it to hex and used it to search for that address in 010 Editor to look for the ip header.

Now you get to look at the MAC addresses as well to see it all.

So the Source and Destination addresses switch places btwn each other on LAN? Coz I'm using Oracle VM VirtualBox to get Windows 7 hex dumps and well it only has ethernet adapter.

The short answer is it appears you are capturing Ethernet packets. I am a poor substitute for all the good docs on the web about how this works but the IP work is done elsewhere as in the ARP protocol.

Video at https://www.youtube.com/watch?v=OZi3tVrpI6U which looks good.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.