Dissecting network packets

Wimnat · 6 Apr 2007 at 17:48

Hi,

I would like to dissect some packets in Java, specifically SIP and RTP packets.

I have used jpcap to sniff the packets off the network and the contents of the packet are placed in a byte array.

Does anyone have an idea of how to split this packet up so for example I can see what codecs have been specified etc.

I tried looking at the C source code of Wireshark to give me an idea but it seemed pretty complicated.

Any suggestions welcome.

matja · 6 Apr 2007 at 17:57

Check out RFC 791 for the IP header, RFC 793/768 for the TCP/UDP header and RFC 3261 for the SIP header. They're pretty simple structures (in IP/TCP/UDP, no idea about SIP, never parsed that).

|Ric| · 6 Apr 2007 at 18:04

I've just done something similar (had to interpret TCP and IP packets), as said above just look in the relevant RFC and it has a pretty diagram showing you how the packet is arranged

NathanE · 6 Apr 2007 at 18:22

SIP has a very HTTP-like protocol that you can easily parse with string functions or regular expressions. RTP's specification is available all over the 'net and will be the hardest to consume considering Java doesn't support pointers (so you can't just overlay the packet into a structure definition).

Visage · 6 Apr 2007 at 20:26

NathanE said:
RTP's specification is available all over the 'net and will be the hardest to consume considering Java doesn't support pointers (so you can't just overlay the packet into a structure definition).

I'd hardly call whacking some bytes into a ByteBuffer and calling getInt, getLong, getShort etc hard.....

|Ric| · 6 Apr 2007 at 20:31

out of interest does that cope with endianess?

Visage · 6 Apr 2007 at 20:42

|Ric| said:
out of interest does that cope with endianess?

ByteBuffer has an 'order' ,ethod that you can use to specify the endianess that you can use.

For example:

ByteBuffer b = new ByteBuffer();
b.order(BIG_ENDIAN);
b.putInt(10).PutShort(3);

would result in a buffer of length 6 bytes, with the first 4 containing 10 in big endian format and 2 bytes conatining 3 in big endian format.

Conversely:

ByteBuffer b= new ByteBuffer(somearray) ;
b.order(LITTLE_ENDIAN);
int j = b.getInt();
int k = b.getShort();

Will read an int and a short from somearray and put them in i and k respectively, treating the bytes as being in little endian order.

Inquisitor · 6 Apr 2007 at 20:55

Visage said:
b.putInt(10).PutShort(3);

Is ByteBuffer immutable or something? :confused:

Visage · 6 Apr 2007 at 21:06

Inquisitor said:
Is ByteBuffer immutable or something?

No. The put... methods return the object they're called on, so you can daisychain calls....

Inquisitor · 6 Apr 2007 at 21:26

Fair enough, I'm just not familiar with the Java libraries I suppose, and the .NET framework doesn't do that

Wimnat · 6 Apr 2007 at 22:28

RFC's are fine for the header information where the data is predefined. I also need to parse the SIP body where data can be variable. For example, it will hold the SIP address which could be anything from SIP:[email protected] to SIP:[email protected].

How can i search through a byte array looking for particular strings?

Also the byte array is going to be holding binary data. Is there an easy way to convert this to acsii before i start searching?

NathanE · 7 Apr 2007 at 10:40

Visage said:
I'd hardly call whacking some bytes into a ByteBuffer and calling getInt, getLong, getShort etc hard.....

That's neat, not seen that class before. Seems it was added in v1.4 so that explains why... I'd already moved onto .NET by then

Wimnat · 7 Apr 2007 at 15:12

Visage said:
I'd hardly call whacking some bytes into a ByteBuffer and calling getInt, getLong, getShort etc hard.....

I'm a Java n00b so could you post a bit of a code example for this please?

Visage · 7 Apr 2007 at 18:59

Wimnat said:
I'm a Java n00b so could you post a bit of a code example for this please?

See above.