Packet Capture — Identify the Protocol
Medium Network Forensics · 30 min
Packet Capture — Identify the Protocol
Scenario
You are responding to a security event. Your SOC has handed you a single packet captured from the network. You don't have Wireshark in this environment — only the raw hex dump.
Decode the packet and identify:
- The application protocol (lowercase one word — e.g.
dns,http,smtp,ssh,ftp) - The source port (decimal)
- The destination port (decimal)
Answer format
<protocol>:<src-port>:<dst-port>All lowercase. Example shape (NOT the answer):
http:51823:80Tips for hand-decoding
The packet starts at Ethernet layer:
| Offset | Bytes | Field | |---|---|---| | 0 | 6 | Dest MAC | | 6 | 6 | Src MAC | | 12 | 2 | EtherType (0800 = IPv4) |
Then IPv4 header (14 bytes in):
| Offset | Bytes | Field | |---|---|---| | 14 | 1 | Version + IHL | | 23 | 1 | Protocol (06=TCP, 11=UDP, 01=ICMP) | | 26 | 4 | Source IP | | 30 | 4 | Destination IP |
Then transport layer (start = 14 + IHL×4):
| Offset (from start of TCP/UDP) | Bytes | Field | |---|---|---| | 0 | 2 | Src port | | 2 | 2 | Dst port |
The application protocol is inferred from the destination port (well-known ports: 53=DNS, 80=HTTP, 25=SMTP, 22=SSH, 21=FTP, 443=HTTPS, 110=POP3, 143=IMAP).
Hints
Hint 1 (−10 pts)
The IP protocol byte is at offset 23. Read it — that tells you TCP (0x06) vs UDP (0x11). Then jump to the transport header at offset 14 + (IHL × 4).
Hint 2 (−10 pts)
IHL is the low nibble of byte 14. In this packet it's 5 (so 20-byte IP header). Transport header starts at offset 34. Read 2 bytes for src port, 2 bytes for dst port.
Hint 3 (−10 pts)
Protocol byte = 0x11 (UDP). Src port at offset 34-35 = 0xD37B = 54139. Dst port at 36-37 = 0x0035 = 53. Port 53 = DNS. Answer: dns:54139:53
Lab environment · sandboxed iframe · auto-resets every 60 min