Decoding sniffed packets

Mikulas Dite picture Mikulas Dite · Aug 29, 2010 · Viewed 12.7k times · Source

I understand that each packet has some header that seems like a random mix of chars. On the other hand, the content itself can be in pure ascii and therefore it might be human friendly. Some of the packets I sniffed were readable (raw html headers for sure). But some packets looked like this:

0000  00 15 af 51 68 b2 00 e0  98 be cf d6 08 00 45 00   ...Qh... ......E.
0010  05 dc 90 39 40 00 2e 06  99 72 08 13 f0 49 c0 a8   ...9@... .r...I..
0020  64 6b 00 50 c1 32 02 7a  60 4f 4c b6 45 62 50 10   dk.P.2.z `OL.EbP.

That was just a part, these packets were usually longer. My question is, how can I decode the packet content/data? Do I need the whole stream? Is the decoding simple, or every application can encode it slightly else, to ensure these packets are secured?

Edit: I don't care about the header, Wireshark shows that. However, that's totally worthless info. I want to decode the data/content.

Answer

Jay picture Jay · Aug 29, 2010

The content of a packet is defined by the process sending it. Think of it like a telephone call. What's said is dependent on who is calling and who they are talking to. You have to study the programs that construct it to determine how to "decode" it. There are some sniffers that will parse some commonly used methods of encoding and try to do this already.