Recall the HEx

Before analyse the packet in the wireshark, we must pick the skill set – hex number.

1 hex takes 4 bits length, so 2 hex takes 8 bits length, which is 1 byte length. This is also why in wireshark, they group them two by two, making it easier to count the number of bytes.


Data-Link Layer


Recall that Ethernet Frame header contains 6 bytes Destination MAC address, 6 Bytes Source MAC address, 2 Bytes EtherType, 14 bytes total.

Let’s take a wireshark capture as a example:


There are 14 groups of hex number with group size of two, which representing 14 bytes Ethernet Frame length.


Network layer


Recall the IP header is 20 Bytes.



Also take this picture as example,

TTL: different OS has different length, we can also use this to guess the OS type. The mapping shown below:

Operating System Decimal TTL Hex TTL
Linux 64 40
Windows 128 80
Cisco/Hardware 255 FF


Protocol: See below for the mapping:

Description Decimal Value Hex Value
ICMP 1 1
TCP 6 6
EGP 8 8
UDP 17 11