Cover by Ryan Benedetti, Al Anderson

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

O'Reilly logo

Chapter 4. Packet Analysis: You’ve Been Framed

image with no caption

It’s time to go under the hood.

Network devices send data down the cable by converting the data into a signal. But how do they do this? And what else might be hiding in the signal? Just like a doctor needs to look at blood cells to identify blood-borne diseases, a network pro needs to look at what’s in the network signal to detect network intrusions, perform audits, and generally diagnose problems. And the key to all of this is packet analysis. Keep reading while we put your network signal under the microscope.

What’s the secret message?

The Head First Spy Agency specializes in conducting undercover investigations on behalf of their clients. No job is too big or too small, and they’ve just recruited you to their cause.

Here’s your first assignment:

image with no caption
image with no caption

So how do we extract a message from a signal?

We’ve seen before that network signals contain network data. This data is encoded into a format that computers can use, so if we can decode the signal, we should be able to extract the hidden message. But how do we do this?

Brain Power

Could this signal represent something other than 1’s and 0’s?

Network cards handle encoding

Encoding is handled by the Network Interface Card, or NIC, inside the computer. It handles and decodes digital signals, and is in charge of all the messaging ins and outs on the computer.

image with no caption

So how does the NIC encode the data?

The NIC starts by taking the message that needs to be sent across the network. It then turns the message into binary numbers, a series of 0’s and 1’s. After that, it encodes these numbers, and sends corresponding voltage signals through an attached network cable.

image with no caption

So if we know what the signal is, how do we find the original message?

To get the message, reverse the encoding

To find out what the message is, we need to decode the rogue network signal. Here’s what we need to do.

  1. Take the rogue signal.

    The signal is the series of voltage changes that’s been transmitted along the cable. The message is hidden inside it.

    image with no caption
  2. Divide the signal into equal slices using a clocking mechanism.

    By this we mean a device that pulses regularly. The clock provides a regular heartbeat.

    image with no caption
  3. Convert the signal into a series of 0’s and 1’s.

    To do this, look at the voltage level where the clock pulse meets the signal. The voltage level at this point determines whether the value is a 0 or a 1.

So how do we decode the signal?

The way in which we find the stream of 0’s and 1’s depends on the method used to encode the signal in the first place. So how do we know what this is?

The Ethernet standard tells hardware how to encode the data

So what sort of encoding scheme does the rogue signal use?

The signal is transmitted over Ethernet. This is a standard that engineers and manufacturers use when designing computers and network gear, and the protocol includes features such as Manchester phase encoding. So if the signal is sent using the Ethernet protocol, it uses Manchester encoding.

The protocol for 10BaseT Ethernet specifies that the signal will be encoded using Manchester encoding.

Let’s look at how this works:

image with no caption

In NRZ encoding, the binary data is represented by the high and low voltage levels; high is a 1, low is a 0. In Manchester encoding, it is the TRANSITION to a voltage that represents data.


You don’t have to know the exact details of how encoding works.

What is important for you to understand is that data in a computer is represented one way but is encoded into a signal when it is transmitted on a network.

image with no caption

If we know how a signal’s encoded, that means we can decode it.

Knowing that the signal uses Manchester encoding means that we know the series of 1’s and 0’s that the signal represents. What we need to do next is translate this into something more meaningful. To do this, we need to understand how to translate binary numbers.

A quick guide to binary

The first thing you need to know about binary numbers is that they aren’t based on 10 digits (0 to 9); they’re based on 2 digits, 0 and 1. Here’s how binary digits work:

image with no caption

If you see a binary number like 0 or 1, this is the same as a decimal number 0 or 1. But how do we write a number like 2 in binary?

Binary is a base 2 system. This means that each digit in a binary number represents an increasing power of 2. The right-most digit in the binary number represents 20, the next represents 21, the next 22 and so on.

image with no caption

So how do we convert a binary to decimal?

To convert from binary, here’s what you need to do.

  • Multiply each digit in the binary number by the corresponding power of 2.

  • Add the whole lot up together.

image with no caption

And there’s your decimal number equivalent.

image with no caption

We can convert the numbers into letters.

So far we’ve looked at how we convert the signal into binary, and from binary to decimal. What we really want to do though is convert the signal into something more meaningful such as words. So how can we turn numbers into characters? The answer lies with ASCII...

Computers read numbers, humans read letters

We can convert a signal into numbers, but what can we do when we need text? We use something called the American Standard Code for Information Interchange (ASCII). Computers use this format when transferring text messages to one another.

In computer-speak, each binary digit is called a bit, and eight bits together form a byte.

image with no caption

Each byte needs to be translated to an ASCII character. To do this, we convert each byte into its decimal equivalent, and then look up the corresponding ASCII in an ASCII table, just like the one in Appendix B.

image with no caption

So the ASCII character represented by 01100001 is the letter a.

But isn’t there an easier way?

The trouble with translating bytes into ASCII characters in this way is that the 0’s and 1’s quickly become overwhelming. It can be fiddly converting bytes into decimal numbers, and this means it’s easy to make mistakes. So is there an easier way?

Watch it!

There is another character encoding scheme.

Another major character encoding scheme is Unicode. It allows for millions of characters.

image with no caption

Hexadecimal to the rescue

There’s a handier way of converting a byte into ASCII. Instead of looking up a decimal number in an ASCII table, we can look up its hexadecimal equivalent instead.

Hexadecimal numbers are based on 16 digits, 0-15:

image with no caption

So if you see a hexadecimal number like B, you know that it just means 11 in decimal.

Hex is a base 16 system, which means that each digit represents an increasing power of 16. The right-most represents 160, the next represents 161, and so on.

image with no caption

So how do we convert a hexadecimal to decimal?

To convert a hexadecimal number to a decimal, take each digit in the hexadecimal number, multiply it by the power of 16 it represents, and then add the whole lot up together.

image with no caption

We can convert to ASCII using hex

Once you learn to use hexadecimal, you realize just how cool it is. Hex and binary make great partners, which simplifies conversions between binary and ASCII. Hex is like a bridge between the weird world of binary and our world (the human, readable world).

Here’s what we do:

  1. Break the byte in half.

    Each half-byte is called a nibble. [Note from Editor: you’re kidding, right?]

    image with no caption

    Watch it!

    Don’t add the two numbers!

    Just put them side-by-side, and you have the hexadecimal conversion.

  2. Convert each half into its hexadecimal equivalent.

    Because the binary number is broken into halves, the highest number you can get is 15 (which is “F” in hex).

  3. Concatenate the two numbers.

    Concatenate is a programmer’s word that simply means “put them beside each other from left to right.”

  4. Look the number up in an ASCII table.

    The table to the right is just a sample. To find comon ASCII codes, use the handy ASCII conversion table we’ve provided in Appendix B.

    image with no caption

Back at the spy agency...

So far we’ve looked at encoding techniques for finding out what message the mole is sending. So what progress have we made in interpreting the signal?

image with no caption

It’s not just a matter of decoding the binary; we have to consider the appropriate protocol too...

Protocols define the structure of a message

In order to effectively communicate, network devices use protocols, a set of guidelines, or rules, for the network conversation. These procotols cover such things as how fast data can be sent and how data will be structured when it’s sent.

Most protocols define a size limit for messages, which means that the messages need to be broken into separate packages and labeled with information about where the message came from and where it’s headed.

Network messages come in two kinds of packages: frames and packets.

Brain Power

Why would it be important for the destination address to come near the front of a frame?

From Sharpen your pencil.

image with no caption
image with no caption

Network frames have lots of layers

Encoding and decoding signals allows us to ship data efficiently. Frames give that data structure, but does a frame give us enough structure to package our data?

A network frame contains nested structures that allow us to pack and unpack the data efficiently. Like a series of nested dolls, each smaller structure is enclosed by the next largest structure.

The payload of a frame is actually a structure nested within the frame. We call it a packet, and the EtherType field lets us know what type of packet the payload contains.

image with no caption

We have to do a bit more digging into this frame before we can get to the actual message.

Your friendly packet field guide

Packets come in several different types. You can see that there is a lot of information packed inside these packets. All of those “fields” contain information that helps the packet get across the network. You will notice that many of the same fields exist in the three packet types shown here.

UDP Packet - Protocol Type 17

UDP is used for streaming data such as music and videos.

image with no caption

ICMP Packet - Protocol Type 1

ICMP is used for testing network connections using the ping program.

image with no caption

TCP Packet - Protocol Type 6


This is decimal 6, in a packet this would be in hex!

TCP is used for most IP network communications that require a reliable connection. By reliable, we mean that no information is lost.

image with no caption

Geek Bits

There are many different types of IP protocols, around 139 of them. These are just three of the most common ones.

You can find a full list of IP protocols here:

So can we decode the secret message?

So far we’ve looked at how frames are structured, how to tell which part of the frame contains the data, and how to convert the data into ASCII. So is that everything we need to decode the message the mole sent?

Well... nearly.

image with no caption

The entire message may need more than one frame.

Sometimes messages are spread across frames. So why’s that?

An Ethernet frame can hold about 1500 bytes of data. So any data that is larger than that will have to be broken apart.

There’s another reason too. In order to have a reliable transfer of data, the sender and receiver communicate using the TCP protocol on how the transfer is going. If there are errors in the packets, the sender will notify the receiver and it will resend the packets that had errors. Imagine if there was one large packet with all the data. If the connection is poor it might never get sent.

To reassemble the entire message, we need to collect together all the frames, making sure they’re in the right order.

So what do we mean by the right order? Why should they be out of order? Let’s take a look.

We’ve got all the right packets... but not necessarily in the right order

Individual packets on a large network with multiple routers can take different routes to get to the destination. Some paths are longer or have lower bandwidth and take longer for the packet to transit. These means that the packets could arrive at the destination out of order.

  1. A computer sends some data on the network.

    Because of the amount of data, it’s broken into three separate packets.

  2. The packets take different routes.

    The red and green packets take a different route to the blue packet.

    image with no caption
  3. The packets arrive at their destination.

    But they arrive out of order.

Brain Power

Take another look at the packet structure. How do you think we can tell what the packet order should be?

The packet tells you the correct order

Each packet contains a sequence number, and it’s this sequence number that tells you the correct order of the packets. This means that you can use the sequence number inside a packet to put all the packets back together in the right order. So if we can decode the packets in the right order, we’ll have the secret message.

image with no caption

Geek Bits

The server sends packets to a particular application based on the port number. As an example, it knows which messages are emails by looking at the destination port in the packet.

image with no caption

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required