Wireshark users may occasionally find themselves wishing for the ability the add some packet detail to the summary information. In the previous post I was looking at DSCP and TOS information and wanted to add that to the summary rather than drilling down into every packet. The first solution is to use Tshark and a lua script as I did in the previous post. The second solution is to export the capture file in both PSML and PDML format packet detail and render them in a web browser.
PSML and PDML are both XML files, so they can be rendered using an XML stylesheet and displayed in a web browser. Sensibly parsing the output of two different XML files can be a bit tricky. Fortunately there is a common field in each file, the packet number, which can be used to perform the equivalent of an SQL join on the two files.
First I captured the request and response of two single pings, one with and one without the ToS byte set. Then I exported the files in PDML and PSML formats as shown below. Note the reference in line 2 of packetsumm2.xml to the stylesheet table7.xsl. When using a browser to transform the xml we have to modify it manually to include the reference rather than pass it as a command line parameter like we would with saxon or xalan.
The important parts of the stylesheet are highlighted in red. The first of the highlighted lines creates a reference to the document element of the packet details file. The template below does all the hard work of performing the join.
<xsl:template match="/psml/packet">
<tr>
<xsl:variable name="packetnum" select="section[1]"/>
<xsl:for-each select="section">
<xsl:if test="position()=last()">
<td><xsl:value-of select= "$packetdetail/pdml/packet/proto[@name = 'geninfo']/field[@name = 'num' and @show = $packetnum]/../../proto[@name = 'ip']/field[@name='ip.dsfield']/@showname"/></td>
</xsl:if>
<td><xsl:value-of select="."/></td>
</xsl:for-each>
</tr>
</xsl:template>The packet number is in the first element and is saved in the variable packetnum. A for-each loop is created to output all the section elements of the packet summary. In this case they are “No.”, “Time”, ” Source”, ” Destination”, ” Protocol” and “Info”. As the loop progresses we test to see if we are at the last “section” element, and if we are it inserts the DS field information from the packet detail file. Now this is where the going gets heavy. We insert the DS field information using a <xsl:value-of> tag, which contains a select attribute with an xpath expression to that information.
There are two main parts to this xpath expression
-
$packetdetail/pdml/packet/proto[@name = 'geninfo']/field[@name = 'num' and @show = $packetnum]/ ../../proto[@name = 'ip']/field[@name='ip.dsfield']/@showname
Part 1 drills down to the proto element of the packet that has a field element with a name attribute equal to num and a show attribute equal to the packetnum variable. This is the common part where we perform the join on the two files.
Part 2 solves the problem of accessing the DS field information. This is a problem because our xpath expression has already taken us down one proto element and we need to be in another proto element at the same level. To get there we need to go back to the common ancestor of the two proto elements, using the ../.. expression and then match the proto element with a name attribute of ip and field element with a name attribute of ip.dsfield and finally selecting the showname attribute.
Conclusion
I admit the example using wireshark is a little contrived. However, the ability to join xml files on a common field is a powerful technique worth keeping in the toolkit. Who knows somebody may actually wish to display packet capture information in a web browser.
Table7.xsl
<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:variable name="packetdetail" select="document('packets2.xml')"/>
<xsl:template match="/psml">
<html>
<body>
<table border="2" bgcolor="lightgrey">
<xsl:apply-templates/>
</table>
</body>
</html>
</xsl:template>
<xsl:template match="/psml/structure">
<tr>
<xsl:for-each select="section">
<xsl:if test="position() = last()">
<th>DS Field</th>
</xsl:if>
<th><xsl:value-of select="."/></th>
</xsl:for-each>
</tr>
</xsl:template>
<xsl:template match="/psml/packet">
<tr>
<xsl:variable name="packetnum" select="section[1]"/>
<xsl:for-each select="section">
<xsl:if test="position()=last()">
<td><xsl:value-of select= "$packetdetail/pdml/packet/proto[@name = 'geninfo']/field[@name = 'num' and @show = $packetnum]/../../proto[@name = 'ip']/field[@name='ip.dsfield']/@showname"/></td>
</xsl:if>
<td><xsl:value-of select="."/></td>
</xsl:for-each>
</tr>
</xsl:template>
</xsl:stylesheet>Packetsumm2.xml
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="table7.xsl"?>
<psml version="0" creator="wireshark/1.0.2">
<structure>
<section>No.</section>
<section>Time</section>
<section>Source</section>
<section>Destination</section>
<section>Protocol</section>
<section>Info</section>
</structure>
<packet>
<section>1</section>
<section>0.000000</section>
<section>192.168.0.7</section>
<section>74.125.19.147</section>
<section>ICMP</section>
<section>Echo (ping) request</section>
</packet>
<packet>
<section>2</section>
<section>0.181465</section>
<section>74.125.19.147</section>
<section>192.168.0.7</section>
<section>ICMP</section>
<section>Echo (ping) reply</section>
</packet>
<packet>
<section>3</section>
<section>9.897599</section>
<section>192.168.0.7</section>
<section>74.125.19.147</section>
<section>ICMP</section>
<section>Echo (ping) request</section>
</packet>
<packet>
<section>4</section>
<section>10.079768</section>
<section>74.125.19.147</section>
<section>192.168.0.7</section>
<section>ICMP</section>
<section>Echo (ping) reply</section>
</packet>
</psml>Packets2.xml
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="packets.xsl"?>
<pdml version="0" creator="wireshark/1.0.2">
<packet>
<proto name="geninfo" pos="0" showname="General information" size="74">
<field name="num" pos="0" show="1" showname="Number" value="1" size="74"/>
<field name="len" pos="0" show="74" showname="Packet Length" value="4a" size="74"/>
<field name="caplen" pos="0" show="74" showname="Captured Length" value="4a" size="74"/>
<field name="timestamp" pos="0" show="Jan 8, 2009 10:14:57.971166000" showname="Captured Time" value="1231373697.971166000" size="74"/>
</proto>
<proto name="frame" showname="Frame 1 (74 bytes on wire, 74 bytes captured)" size="74" pos="0">
<field name="frame.time" showname="Arrival Time: Jan 8, 2009 10:14:57.971166000" size="0" pos="0" show="Jan 8, 2009 10:14:57.971166000"/>
<field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
<field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
<field name="frame.time_relative" showname="Time since reference or first frame: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
<field name="frame.number" showname="Frame Number: 1" size="0" pos="0" show="1"/>
<field name="frame.pkt_len" showname="Packet Length: 74 bytes" hide="yes" size="0" pos="0" show="74"/>
<field name="frame.len" showname="Frame Length: 74 bytes" size="0" pos="0" show="74"/>
<field name="frame.cap_len" showname="Capture Length: 74 bytes" size="0" pos="0" show="74"/>
<field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
<field name="frame.protocols" showname="Protocols in frame: eth:ip:icmp:data" size="0" pos="0" show="eth:ip:icmp:data"/>
</proto>
<proto name="eth" showname="Ethernet II, Src: Intel_28:c7:f7 (00:18:de:28:c7:f7), Dst: Netgear_ea:06:78 (00:09:5b:ea:06:78)" size="14" pos="0">
<field name="eth.dst" showname="Destination: Netgear_ea:06:78 (00:09:5b:ea:06:78)" size="6" pos="0" show="00:09:5b:ea:06:78" value="00095bea0678">
<field name="eth.addr" showname="Address: Netgear_ea:06:78 (00:09:5b:ea:06:78)" size="6" pos="0" show="00:09:5b:ea:06:78" value="00095bea0678"/>
<field name="eth.ig" showname=".... ...0 .... .... .... .... = IG bit: Individual address (unicast)" size="3" pos="0" show="0" value="0" unmaskedvalue="00095b"/>
<field name="eth.lg" showname=".... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)" size="3" pos="0" show="0" value="0" unmaskedvalue="00095b"/>
</field>
<field name="eth.src" showname="Source: Intel_28:c7:f7 (00:18:de:28:c7:f7)" size="6" pos="6" show="00:18:de:28:c7:f7" value="0018de28c7f7">
<field name="eth.addr" showname="Address: Intel_28:c7:f7 (00:18:de:28:c7:f7)" size="6" pos="6" show="00:18:de:28:c7:f7" value="0018de28c7f7"/>
<field name="eth.ig" showname=".... ...0 .... .... .... .... = IG bit: Individual address (unicast)" size="3" pos="6" show="0" value="0" unmaskedvalue="0018de"/>
<field name="eth.lg" showname=".... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)" size="3" pos="6" show="0" value="0" unmaskedvalue="0018de"/>
</field>
<field name="eth.type" showname="Type: IP (0x0800)" size="2" pos="12" show="0x0800" value="0800"/>
</proto>
<proto name="ip" showname="Internet Protocol, Src: 192.168.0.7 (192.168.0.7), Dst: 74.125.19.147 (74.125.19.147)" size="20" pos="14">
<field name="ip.version" showname="Version: 4" size="1" pos="14" show="4" value="45"/>
<field name="ip.hdr_len" showname="Header length: 20 bytes" size="1" pos="14" show="20" value="45"/>
<field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)" size="1" pos="15" show="0" value="00">
<field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0x00)" size="1" pos="15" show="0x00" value="0" unmaskedvalue="00"/>
<field name="ip.dsfield.ect" showname=".... ..0. = ECN-Capable Transport (ECT): 0" size="1" pos="15" show="0" value="0" unmaskedvalue="00"/>
<field name="ip.dsfield.ce" showname=".... ...0 = ECN-CE: 0" size="1" pos="15" show="0" value="0" unmaskedvalue="00"/>
</field>
<field name="ip.len" showname="Total Length: 60" size="2" pos="16" show="60" value="003c"/>
<field name="ip.id" showname="Identification: 0x84c6 (33990)" size="2" pos="18" show="0x84c6" value="84c6"/>
<field name="ip.flags" showname="Flags: 0x00" size="1" pos="20" show="0x00" value="00">
<field name="ip.flags.rb" showname="0... = Reserved bit: Not set" size="1" pos="20" show="0" value="0" unmaskedvalue="00"/>
<field name="ip.flags.df" showname=".0.. = Don't fragment: Not set" size="1" pos="20" show="0" value="0" unmaskedvalue="00"/>
<field name="ip.flags.mf" showname="..0. = More fragments: Not set" size="1" pos="20" show="0" value="0" unmaskedvalue="00"/>
</field>
<field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="20" show="0" value="0000"/>
<field name="ip.ttl" showname="Time to live: 128" size="1" pos="22" show="128" value="80"/>
<field name="ip.proto" showname="Protocol: ICMP (0x01)" size="1" pos="23" show="0x01" value="01"/>
<field name="ip.checksum" showname="Header checksum: 0x973b [correct]" size="2" pos="24" show="0x973b" value="973b">
<field name="ip.checksum_good" showname="Good: True" size="2" pos="24" show="1" value="973b"/>
<field name="ip.checksum_bad" showname="Bad : False" size="2" pos="24" show="0" value="973b"/>
</field>
<field name="ip.src" showname="Source: 192.168.0.7 (192.168.0.7)" size="4" pos="26" show="192.168.0.7" value="c0a80007"/>
<field name="ip.addr" showname="Source or Destination Address: 192.168.0.7 (192.168.0.7)" hide="yes" size="4" pos="26" show="192.168.0.7" value="c0a80007"/>
<field name="ip.src_host" showname="Source Host: 192.168.0.7" hide="yes" size="4" pos="26" show="192.168.0.7" value="c0a80007"/>
<field name="ip.host" showname="Source or Destination Host: 192.168.0.7" hide="yes" size="4" pos="26" show="192.168.0.7" value="c0a80007"/>
<field name="ip.dst" showname="Destination: 74.125.19.147 (74.125.19.147)" size="4" pos="30" show="74.125.19.147" value="4a7d1393"/>
<field name="ip.addr" showname="Source or Destination Address: 74.125.19.147 (74.125.19.147)" hide="yes" size="4" pos="30" show="74.125.19.147" value="4a7d1393"/>
<field name="ip.dst_host" showname="Destination Host: 74.125.19.147" hide="yes" size="4" pos="30" show="74.125.19.147" value="4a7d1393"/>
<field name="ip.host" showname="Source or Destination Host: 74.125.19.147" hide="yes" size="4" pos="30" show="74.125.19.147" value="4a7d1393"/>
</proto>
<proto name="icmp" showname="Internet Control Message Protocol" size="40" pos="34">
<field name="icmp.type" showname="Type: 8 (Echo (ping) request)" size="1" pos="34" show="8" value="08"/>
<field name="icmp.code" showname="Code: 0 ()" size="1" pos="35" show="0x00" value="00"/>
<field name="icmp.checksum" showname="Checksum: 0x415c [correct]" size="2" pos="36" show="0x415c" value="415c"/>
<field name="icmp.ident" showname="Identifier: 0x0200" size="2" pos="38" show="0x0200" value="0200"/>
<field name="icmp.seq" showname="Sequence number: 2560 (0x0a00)" size="2" pos="40" show="2560" value="0a00"/>
<field name="data" value="6162636465666768696a6b6c6d6e6f7071727374757677616263646566676869"/>
<field name="data.data" showname="Data: 6162636465666768696A6B6C6D6E6F707172737475767761..." size="32" pos="42" show="61:62:63:64:65:66:67:68:69:6a:6b:6c:6d:6e:6f:70:71:72:73:74:75:76:77:61:62:63:64:65:66:67:68:69" value="6162636465666768696a6b6c6d6e6f7071727374757677616263646566676869"/>
</proto>
</packet>
<packet>
<proto name="geninfo" pos="0" showname="General information" size="74">
<field name="num" pos="0" show="2" showname="Number" value="2" size="74"/>
<field name="len" pos="0" show="74" showname="Packet Length" value="4a" size="74"/>
<field name="caplen" pos="0" show="74" showname="Captured Length" value="4a" size="74"/>
<field name="timestamp" pos="0" show="Jan 8, 2009 10:14:58.152631000" showname="Captured Time" value="1231373698.152631000" size="74"/>
</proto>
<proto name="frame" showname="Frame 2 (74 bytes on wire, 74 bytes captured)" size="74" pos="0">
<field name="frame.time" showname="Arrival Time: Jan 8, 2009 10:14:58.152631000" size="0" pos="0" show="Jan 8, 2009 10:14:58.152631000"/>
<field name="frame.time_delta" showname="Time delta from previous captured frame: 0.181465000 seconds" size="0" pos="0" show="0.181465000"/>
<field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.181465000 seconds" size="0" pos="0" show="0.181465000"/>
<field name="frame.time_relative" showname="Time since reference or first frame: 0.181465000 seconds" size="0" pos="0" show="0.181465000"/>
<field name="frame.number" showname="Frame Number: 2" size="0" pos="0" show="2"/>
<field name="frame.pkt_len" showname="Packet Length: 74 bytes" hide="yes" size="0" pos="0" show="74"/>
<field name="frame.len" showname="Frame Length: 74 bytes" size="0" pos="0" show="74"/>
<field name="frame.cap_len" showname="Capture Length: 74 bytes" size="0" pos="0" show="74"/>
<field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
<field name="frame.protocols" showname="Protocols in frame: eth:ip:icmp:data" size="0" pos="0" show="eth:ip:icmp:data"/>
</proto>
<proto name="eth" showname="Ethernet II, Src: Netgear_ea:06:78 (00:09:5b:ea:06:78), Dst: Intel_28:c7:f7 (00:18:de:28:c7:f7)" size="14" pos="0">
<field name="eth.dst" showname="Destination: Intel_28:c7:f7 (00:18:de:28:c7:f7)" size="6" pos="0" show="00:18:de:28:c7:f7" value="0018de28c7f7">
<field name="eth.addr" showname="Address: Intel_28:c7:f7 (00:18:de:28:c7:f7)" size="6" pos="0" show="00:18:de:28:c7:f7" value="0018de28c7f7"/>
<field name="eth.ig" showname=".... ...0 .... .... .... .... = IG bit: Individual address (unicast)" size="3" pos="0" show="0" value="0" unmaskedvalue="0018de"/>
<field name="eth.lg" showname=".... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)" size="3" pos="0" show="0" value="0" unmaskedvalue="0018de"/>
</field>
<field name="eth.src" showname="Source: Netgear_ea:06:78 (00:09:5b:ea:06:78)" size="6" pos="6" show="00:09:5b:ea:06:78" value="00095bea0678">
<field name="eth.addr" showname="Address: Netgear_ea:06:78 (00:09:5b:ea:06:78)" size="6" pos="6" show="00:09:5b:ea:06:78" value="00095bea0678"/>
<field name="eth.ig" showname=".... ...0 .... .... .... .... = IG bit: Individual address (unicast)" size="3" pos="6" show="0" value="0" unmaskedvalue="00095b"/>
<field name="eth.lg" showname=".... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)" size="3" pos="6" show="0" value="0" unmaskedvalue="00095b"/>
</field>
<field name="eth.type" showname="Type: IP (0x0800)" size="2" pos="12" show="0x0800" value="0800"/>
</proto>
<proto name="ip" showname="Internet Protocol, Src: 74.125.19.147 (74.125.19.147), Dst: 192.168.0.7 (192.168.0.7)" size="20" pos="14">
<field name="ip.version" showname="Version: 4" size="1" pos="14" show="4" value="45"/>
<field name="ip.hdr_len" showname="Header length: 20 bytes" size="1" pos="14" show="20" value="45"/>
<field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)" size="1" pos="15" show="0" value="00">
<field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0x00)" size="1" pos="15" show="0x00" value="0" unmaskedvalue="00"/>
<field name="ip.dsfield.ect" showname=".... ..0. = ECN-Capable Transport (ECT): 0" size="1" pos="15" show="0" value="0" unmaskedvalue="00"/>
<field name="ip.dsfield.ce" showname=".... ...0 = ECN-CE: 0" size="1" pos="15" show="0" value="0" unmaskedvalue="00"/>
</field>
<field name="ip.len" showname="Total Length: 60" size="2" pos="16" show="60" value="003c"/>
<field name="ip.id" showname="Identification: 0x57d9 (22489)" size="2" pos="18" show="0x57d9" value="57d9"/>
<field name="ip.flags" showname="Flags: 0x00" size="1" pos="20" show="0x00" value="00">
<field name="ip.flags.rb" showname="0... = Reserved bit: Not set" size="1" pos="20" show="0" value="0" unmaskedvalue="00"/>
<field name="ip.flags.df" showname=".0.. = Don't fragment: Not set" size="1" pos="20" show="0" value="0" unmaskedvalue="00"/>
<field name="ip.flags.mf" showname="..0. = More fragments: Not set" size="1" pos="20" show="0" value="0" unmaskedvalue="00"/>
</field>
<field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="20" show="0" value="0000"/>
<field name="ip.ttl" showname="Time to live: 239" size="1" pos="22" show="239" value="ef"/>
<field name="ip.proto" showname="Protocol: ICMP (0x01)" size="1" pos="23" show="0x01" value="01"/>
<field name="ip.checksum" showname="Header checksum: 0x5528 [correct]" size="2" pos="24" show="0x5528" value="5528">
<field name="ip.checksum_good" showname="Good: True" size="2" pos="24" show="1" value="5528"/>
<field name="ip.checksum_bad" showname="Bad : False" size="2" pos="24" show="0" value="5528"/>
</field>
<field name="ip.src" showname="Source: 74.125.19.147 (74.125.19.147)" size="4" pos="26" show="74.125.19.147" value="4a7d1393"/>
<field name="ip.addr" showname="Source or Destination Address: 74.125.19.147 (74.125.19.147)" hide="yes" size="4" pos="26" show="74.125.19.147" value="4a7d1393"/>
<field name="ip.src_host" showname="Source Host: 74.125.19.147" hide="yes" size="4" pos="26" show="74.125.19.147" value="4a7d1393"/>
<field name="ip.host" showname="Source or Destination Host: 74.125.19.147" hide="yes" size="4" pos="26" show="74.125.19.147" value="4a7d1393"/>
<field name="ip.dst" showname="Destination: 192.168.0.7 (192.168.0.7)" size="4" pos="30" show="192.168.0.7" value="c0a80007"/>
<field name="ip.addr" showname="Source or Destination Address: 192.168.0.7 (192.168.0.7)" hide="yes" size="4" pos="30" show="192.168.0.7" value="c0a80007"/>
<field name="ip.dst_host" showname="Destination Host: 192.168.0.7" hide="yes" size="4" pos="30" show="192.168.0.7" value="c0a80007"/>
<field name="ip.host" showname="Source or Destination Host: 192.168.0.7" hide="yes" size="4" pos="30" show="192.168.0.7" value="c0a80007"/>
</proto>
<proto name="icmp" showname="Internet Control Message Protocol" size="40" pos="34">
<field name="icmp.type" showname="Type: 0 (Echo (ping) reply)" size="1" pos="34" show="0" value="00"/>
<field name="icmp.code" showname="Code: 0 ()" size="1" pos="35" show="0x00" value="00"/>
<field name="icmp.checksum" showname="Checksum: 0x495c [correct]" size="2" pos="36" show="0x495c" value="495c"/>
<field name="icmp.ident" showname="Identifier: 0x0200" size="2" pos="38" show="0x0200" value="0200"/>
<field name="icmp.seq" showname="Sequence number: 2560 (0x0a00)" size="2" pos="40" show="2560" value="0a00"/>
<field name="data" value="6162636465666768696a6b6c6d6e6f7071727374757677616263646566676869"/>
<field name="data.data" showname="Data: 6162636465666768696A6B6C6D6E6F707172737475767761..." size="32" pos="42" show="61:62:63:64:65:66:67:68:69:6a:6b:6c:6d:6e:6f:70:71:72:73:74:75:76:77:61:62:63:64:65:66:67:68:69" value="6162636465666768696a6b6c6d6e6f7071727374757677616263646566676869"/>
</proto>
</packet>
<packet>
<proto name="geninfo" pos="0" showname="General information" size="74">
<field name="num" pos="0" show="3" showname="Number" value="3" size="74"/>
<field name="len" pos="0" show="74" showname="Packet Length" value="4a" size="74"/>
<field name="caplen" pos="0" show="74" showname="Captured Length" value="4a" size="74"/>
<field name="timestamp" pos="0" show="Jan 8, 2009 10:15:07.868765000" showname="Captured Time" value="1231373707.868765000" size="74"/>
</proto>
<proto name="frame" showname="Frame 3 (74 bytes on wire, 74 bytes captured)" size="74" pos="0">
<field name="frame.time" showname="Arrival Time: Jan 8, 2009 10:15:07.868765000" size="0" pos="0" show="Jan 8, 2009 10:15:07.868765000"/>
<field name="frame.time_delta" showname="Time delta from previous captured frame: 9.716134000 seconds" size="0" pos="0" show="9.716134000"/>
<field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 9.716134000 seconds" size="0" pos="0" show="9.716134000"/>
<field name="frame.time_relative" showname="Time since reference or first frame: 9.897599000 seconds" size="0" pos="0" show="9.897599000"/>
<field name="frame.number" showname="Frame Number: 3" size="0" pos="0" show="3"/>
<field name="frame.pkt_len" showname="Packet Length: 74 bytes" hide="yes" size="0" pos="0" show="74"/>
<field name="frame.len" showname="Frame Length: 74 bytes" size="0" pos="0" show="74"/>
<field name="frame.cap_len" showname="Capture Length: 74 bytes" size="0" pos="0" show="74"/>
<field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
<field name="frame.protocols" showname="Protocols in frame: eth:ip:icmp:data" size="0" pos="0" show="eth:ip:icmp:data"/>
</proto>
<proto name="eth" showname="Ethernet II, Src: Intel_28:c7:f7 (00:18:de:28:c7:f7), Dst: Netgear_ea:06:78 (00:09:5b:ea:06:78)" size="14" pos="0">
<field name="eth.dst" showname="Destination: Netgear_ea:06:78 (00:09:5b:ea:06:78)" size="6" pos="0" show="00:09:5b:ea:06:78" value="00095bea0678">
<field name="eth.addr" showname="Address: Netgear_ea:06:78 (00:09:5b:ea:06:78)" size="6" pos="0" show="00:09:5b:ea:06:78" value="00095bea0678"/>
<field name="eth.ig" showname=".... ...0 .... .... .... .... = IG bit: Individual address (unicast)" size="3" pos="0" show="0" value="0" unmaskedvalue="00095b"/>
<field name="eth.lg" showname=".... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)" size="3" pos="0" show="0" value="0" unmaskedvalue="00095b"/>
</field>
<field name="eth.src" showname="Source: Intel_28:c7:f7 (00:18:de:28:c7:f7)" size="6" pos="6" show="00:18:de:28:c7:f7" value="0018de28c7f7">
<field name="eth.addr" showname="Address: Intel_28:c7:f7 (00:18:de:28:c7:f7)" size="6" pos="6" show="00:18:de:28:c7:f7" value="0018de28c7f7"/>
<field name="eth.ig" showname=".... ...0 .... .... .... .... = IG bit: Individual address (unicast)" size="3" pos="6" show="0" value="0" unmaskedvalue="0018de"/>
<field name="eth.lg" showname=".... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)" size="3" pos="6" show="0" value="0" unmaskedvalue="0018de"/>
</field>
<field name="eth.type" showname="Type: IP (0x0800)" size="2" pos="12" show="0x0800" value="0800"/>
</proto>
<proto name="ip" showname="Internet Protocol, Src: 192.168.0.7 (192.168.0.7), Dst: 74.125.19.147 (74.125.19.147)" size="20" pos="14">
<field name="ip.version" showname="Version: 4" size="1" pos="14" show="4" value="45"/>
<field name="ip.hdr_len" showname="Header length: 20 bytes" size="1" pos="14" show="20" value="45"/>
<field name="ip.dsfield" showname="Differentiated Services Field: 0x88 (DSCP 0x22: Assured Forwarding 41; ECN: 0x00)" size="1" pos="15" show="136" value="88">
<field name="ip.dsfield.dscp" showname="1000 10.. = Differentiated Services Codepoint: Assured Forwarding 41 (0x22)" size="1" pos="15" show="0x22" value="22" unmaskedvalue="88"/>
<field name="ip.dsfield.ect" showname=".... ..0. = ECN-Capable Transport (ECT): 0" size="1" pos="15" show="0" value="0" unmaskedvalue="88"/>
<field name="ip.dsfield.ce" showname=".... ...0 = ECN-CE: 0" size="1" pos="15" show="0" value="0" unmaskedvalue="88"/>
</field>
<field name="ip.len" showname="Total Length: 60" size="2" pos="16" show="60" value="003c"/>
<field name="ip.id" showname="Identification: 0x8519 (34073)" size="2" pos="18" show="0x8519" value="8519"/>
<field name="ip.flags" showname="Flags: 0x00" size="1" pos="20" show="0x00" value="00">
<field name="ip.flags.rb" showname="0... = Reserved bit: Not set" size="1" pos="20" show="0" value="0" unmaskedvalue="00"/>
<field name="ip.flags.df" showname=".0.. = Don't fragment: Not set" size="1" pos="20" show="0" value="0" unmaskedvalue="00"/>
<field name="ip.flags.mf" showname="..0. = More fragments: Not set" size="1" pos="20" show="0" value="0" unmaskedvalue="00"/>
</field>
<field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="20" show="0" value="0000"/>
<field name="ip.ttl" showname="Time to live: 128" size="1" pos="22" show="128" value="80"/>
<field name="ip.proto" showname="Protocol: ICMP (0x01)" size="1" pos="23" show="0x01" value="01"/>
<field name="ip.checksum" showname="Header checksum: 0x9660 [correct]" size="2" pos="24" show="0x9660" value="9660">
<field name="ip.checksum_good" showname="Good: True" size="2" pos="24" show="1" value="9660"/>
<field name="ip.checksum_bad" showname="Bad : False" size="2" pos="24" show="0" value="9660"/>
</field>
<field name="ip.src" showname="Source: 192.168.0.7 (192.168.0.7)" size="4" pos="26" show="192.168.0.7" value="c0a80007"/>
<field name="ip.addr" showname="Source or Destination Address: 192.168.0.7 (192.168.0.7)" hide="yes" size="4" pos="26" show="192.168.0.7" value="c0a80007"/>
<field name="ip.src_host" showname="Source Host: 192.168.0.7" hide="yes" size="4" pos="26" show="192.168.0.7" value="c0a80007"/>
<field name="ip.host" showname="Source or Destination Host: 192.168.0.7" hide="yes" size="4" pos="26" show="192.168.0.7" value="c0a80007"/>
<field name="ip.dst" showname="Destination: 74.125.19.147 (74.125.19.147)" size="4" pos="30" show="74.125.19.147" value="4a7d1393"/>
<field name="ip.addr" showname="Source or Destination Address: 74.125.19.147 (74.125.19.147)" hide="yes" size="4" pos="30" show="74.125.19.147" value="4a7d1393"/>
<field name="ip.dst_host" showname="Destination Host: 74.125.19.147" hide="yes" size="4" pos="30" show="74.125.19.147" value="4a7d1393"/>
<field name="ip.host" showname="Source or Destination Host: 74.125.19.147" hide="yes" size="4" pos="30" show="74.125.19.147" value="4a7d1393"/>
</proto>
<proto name="icmp" showname="Internet Control Message Protocol" size="40" pos="34">
<field name="icmp.type" showname="Type: 8 (Echo (ping) request)" size="1" pos="34" show="8" value="08"/>
<field name="icmp.code" showname="Code: 0 ()" size="1" pos="35" show="0x00" value="00"/>
<field name="icmp.checksum" showname="Checksum: 0x405c [correct]" size="2" pos="36" show="0x405c" value="405c"/>
<field name="icmp.ident" showname="Identifier: 0x0200" size="2" pos="38" show="0x0200" value="0200"/>
<field name="icmp.seq" showname="Sequence number: 2816 (0x0b00)" size="2" pos="40" show="2816" value="0b00"/>
<field name="data" value="6162636465666768696a6b6c6d6e6f7071727374757677616263646566676869"/>
<field name="data.data" showname="Data: 6162636465666768696A6B6C6D6E6F707172737475767761..." size="32" pos="42" show="61:62:63:64:65:66:67:68:69:6a:6b:6c:6d:6e:6f:70:71:72:73:74:75:76:77:61:62:63:64:65:66:67:68:69" value="6162636465666768696a6b6c6d6e6f7071727374757677616263646566676869"/>
</proto>
</packet>
<packet>
<proto name="geninfo" pos="0" showname="General information" size="74">
<field name="num" pos="0" show="4" showname="Number" value="4" size="74"/>
<field name="len" pos="0" show="74" showname="Packet Length" value="4a" size="74"/>
<field name="caplen" pos="0" show="74" showname="Captured Length" value="4a" size="74"/>
<field name="timestamp" pos="0" show="Jan 8, 2009 10:15:08.050934000" showname="Captured Time" value="1231373708.050934000" size="74"/>
</proto>
<proto name="frame" showname="Frame 4 (74 bytes on wire, 74 bytes captured)" size="74" pos="0">
<field name="frame.time" showname="Arrival Time: Jan 8, 2009 10:15:08.050934000" size="0" pos="0" show="Jan 8, 2009 10:15:08.050934000"/>
<field name="frame.time_delta" showname="Time delta from previous captured frame: 0.182169000 seconds" size="0" pos="0" show="0.182169000"/>
<field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.182169000 seconds" size="0" pos="0" show="0.182169000"/>
<field name="frame.time_relative" showname="Time since reference or first frame: 10.079768000 seconds" size="0" pos="0" show="10.079768000"/>
<field name="frame.number" showname="Frame Number: 4" size="0" pos="0" show="4"/>
<field name="frame.pkt_len" showname="Packet Length: 74 bytes" hide="yes" size="0" pos="0" show="74"/>
<field name="frame.len" showname="Frame Length: 74 bytes" size="0" pos="0" show="74"/>
<field name="frame.cap_len" showname="Capture Length: 74 bytes" size="0" pos="0" show="74"/>
<field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
<field name="frame.protocols" showname="Protocols in frame: eth:ip:icmp:data" size="0" pos="0" show="eth:ip:icmp:data"/>
</proto>
<proto name="eth" showname="Ethernet II, Src: Netgear_ea:06:78 (00:09:5b:ea:06:78), Dst: Intel_28:c7:f7 (00:18:de:28:c7:f7)" size="14" pos="0">
<field name="eth.dst" showname="Destination: Intel_28:c7:f7 (00:18:de:28:c7:f7)" size="6" pos="0" show="00:18:de:28:c7:f7" value="0018de28c7f7">
<field name="eth.addr" showname="Address: Intel_28:c7:f7 (00:18:de:28:c7:f7)" size="6" pos="0" show="00:18:de:28:c7:f7" value="0018de28c7f7"/>
<field name="eth.ig" showname=".... ...0 .... .... .... .... = IG bit: Individual address (unicast)" size="3" pos="0" show="0" value="0" unmaskedvalue="0018de"/>
<field name="eth.lg" showname=".... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)" size="3" pos="0" show="0" value="0" unmaskedvalue="0018de"/>
</field>
<field name="eth.src" showname="Source: Netgear_ea:06:78 (00:09:5b:ea:06:78)" size="6" pos="6" show="00:09:5b:ea:06:78" value="00095bea0678">
<field name="eth.addr" showname="Address: Netgear_ea:06:78 (00:09:5b:ea:06:78)" size="6" pos="6" show="00:09:5b:ea:06:78" value="00095bea0678"/>
<field name="eth.ig" showname=".... ...0 .... .... .... .... = IG bit: Individual address (unicast)" size="3" pos="6" show="0" value="0" unmaskedvalue="00095b"/>
<field name="eth.lg" showname=".... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)" size="3" pos="6" show="0" value="0" unmaskedvalue="00095b"/>
</field>
<field name="eth.type" showname="Type: IP (0x0800)" size="2" pos="12" show="0x0800" value="0800"/>
</proto>
<proto name="ip" showname="Internet Protocol, Src: 74.125.19.147 (74.125.19.147), Dst: 192.168.0.7 (192.168.0.7)" size="20" pos="14">
<field name="ip.version" showname="Version: 4" size="1" pos="14" show="4" value="45"/>
<field name="ip.hdr_len" showname="Header length: 20 bytes" size="1" pos="14" show="20" value="45"/>
<field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)" size="1" pos="15" show="0" value="00">
<field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0x00)" size="1" pos="15" show="0x00" value="0" unmaskedvalue="00"/>
<field name="ip.dsfield.ect" showname=".... ..0. = ECN-Capable Transport (ECT): 0" size="1" pos="15" show="0" value="0" unmaskedvalue="00"/>
<field name="ip.dsfield.ce" showname=".... ...0 = ECN-CE: 0" size="1" pos="15" show="0" value="0" unmaskedvalue="00"/>
</field>
<field name="ip.len" showname="Total Length: 60" size="2" pos="16" show="60" value="003c"/>
<field name="ip.id" showname="Identification: 0x57db (22491)" size="2" pos="18" show="0x57db" value="57db"/>
<field name="ip.flags" showname="Flags: 0x00" size="1" pos="20" show="0x00" value="00">
<field name="ip.flags.rb" showname="0... = Reserved bit: Not set" size="1" pos="20" show="0" value="0" unmaskedvalue="00"/>
<field name="ip.flags.df" showname=".0.. = Don't fragment: Not set" size="1" pos="20" show="0" value="0" unmaskedvalue="00"/>
<field name="ip.flags.mf" showname="..0. = More fragments: Not set" size="1" pos="20" show="0" value="0" unmaskedvalue="00"/>
</field>
<field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="20" show="0" value="0000"/>
<field name="ip.ttl" showname="Time to live: 239" size="1" pos="22" show="239" value="ef"/>
<field name="ip.proto" showname="Protocol: ICMP (0x01)" size="1" pos="23" show="0x01" value="01"/>
<field name="ip.checksum" showname="Header checksum: 0x5526 [correct]" size="2" pos="24" show="0x5526" value="5526">
<field name="ip.checksum_good" showname="Good: True" size="2" pos="24" show="1" value="5526"/>
<field name="ip.checksum_bad" showname="Bad : False" size="2" pos="24" show="0" value="5526"/>
</field>
<field name="ip.src" showname="Source: 74.125.19.147 (74.125.19.147)" size="4" pos="26" show="74.125.19.147" value="4a7d1393"/>
<field name="ip.addr" showname="Source or Destination Address: 74.125.19.147 (74.125.19.147)" hide="yes" size="4" pos="26" show="74.125.19.147" value="4a7d1393"/>
<field name="ip.src_host" showname="Source Host: 74.125.19.147" hide="yes" size="4" pos="26" show="74.125.19.147" value="4a7d1393"/>
<field name="ip.host" showname="Source or Destination Host: 74.125.19.147" hide="yes" size="4" pos="26" show="74.125.19.147" value="4a7d1393"/>
<field name="ip.dst" showname="Destination: 192.168.0.7 (192.168.0.7)" size="4" pos="30" show="192.168.0.7" value="c0a80007"/>
<field name="ip.addr" showname="Source or Destination Address: 192.168.0.7 (192.168.0.7)" hide="yes" size="4" pos="30" show="192.168.0.7" value="c0a80007"/>
<field name="ip.dst_host" showname="Destination Host: 192.168.0.7" hide="yes" size="4" pos="30" show="192.168.0.7" value="c0a80007"/>
<field name="ip.host" showname="Source or Destination Host: 192.168.0.7" hide="yes" size="4" pos="30" show="192.168.0.7" value="c0a80007"/>
</proto>
<proto name="icmp" showname="Internet Control Message Protocol" size="40" pos="34">
<field name="icmp.type" showname="Type: 0 (Echo (ping) reply)" size="1" pos="34" show="0" value="00"/>
<field name="icmp.code" showname="Code: 0 ()" size="1" pos="35" show="0x00" value="00"/>
<field name="icmp.checksum" showname="Checksum: 0x485c [correct]" size="2" pos="36" show="0x485c" value="485c"/>
<field name="icmp.ident" showname="Identifier: 0x0200" size="2" pos="38" show="0x0200" value="0200"/>
<field name="icmp.seq" showname="Sequence number: 2816 (0x0b00)" size="2" pos="40" show="2816" value="0b00"/>
<field name="data" value="6162636465666768696a6b6c6d6e6f7071727374757677616263646566676869"/>
<field name="data.data" showname="Data: 6162636465666768696A6B6C6D6E6F707172737475767761..." size="32" pos="42" show="61:62:63:64:65:66:67:68:69:6a:6b:6c:6d:6e:6f:70:71:72:73:74:75:76:77:61:62:63:64:65:66:67:68:69" value="6162636465666768696a6b6c6d6e6f7071727374757677616263646566676869"/>
</proto>
</packet>
</pdml>
The Moose and Squirrel Files 