Recall the HEx
Before analyse the packet in the wireshark, we must pick the skill set – hex number.
1 hex takes 4 bits length, so 2 hex takes 8 bits length, which is 1 byte length. This is also why in wireshark, they group them two by two, making it easier to count the number of bytes.
Data-Link Layer
Recall that Ethernet Frame header contains 6 bytes Destination MAC address, 6 Bytes Source MAC address, 2 Bytes EtherType, 14 bytes total.
Let’s take a wireshark capture as a example:
There are 14 groups of hex number with group size of two, which representing 14 bytes Ethernet Frame length.
Network layer
Recall the IP header is 20 Bytes.
Also take this picture as example,
TTL: different OS has different length, we can also use this to guess the OS type. The mapping shown below:
| Operating System | Decimal TTL | Hex TTL |
| Linux | 64 | 40 |
| Windows | 128 | 80 |
| Cisco/Hardware | 255 | FF |
Protocol: See below for the mapping:
| Description | Decimal Value | Hex Value |
| ICMP | 1 | 1 |
| TCP | 6 | 6 |
| EGP | 8 | 8 |
| UDP | 17 | 11 |