About | ACP | Get Stuff | Industry Watch | Learning Curve | Newsletter | Search | Test Drive
Home » ACP » Xframe


Packet sniffer.

[Get the ACP here. ] [Get Xfile here. ] [Download the Test Drive here. ]

Xframe sniffs everything on your network in promiscuous mode, captures packets at the lowest possible level, then demultiplexes them up to the transport layer protocols - fast. Traffic per protocol is shown in realtime in nine synchronised windows as well as in log files with complete data for every transaction at every layer.

Here's how it works.


Networking occurs through four layers. The diagram below represents these layers.

Device Driver/NIC

The link layer normally includes the device driver in the operating system and the network interface card (NIC) in the computer.

  • The link layer handles the physical interface with the network.
  • The network layer handles the movement of data around the network.
  • The transport layer provides a flow of data between two hosts.
  • The application layer handles the details of client applications.

Frames enter the computer from the network at the link level and are then demultiplexed upwards in the diagram, from the link level to either the ARP, IP, or RARP protocols at the network level.

The IP protocols will pass the data on to either the ICMP, IGMP, TCP, or UDP protocols at the transport level. These protocols will then refer the data to their respective client applications.

Layering & Xframe

The main window of Xframe shows data at the link level, the lowest possible level. The data is thereafter demultiplexed to either the ARP or the IP windows (the ARP window handles the RARP protocol as well).

Data demultiplexed to the IP protocol is further demultiplexed to a transport layer protocol - either ICMP, IGMP, TCP, or UDP.


As user data leaves the application level it is encapsulated by its corresponding application protocol (such as FTP, HTTP, POP, or SMTP) and sent to the transport layer.

The transport layer protocol - either ICMP, IGMP, TCP, or UDP - then encapsulates the data further and sends it to the network layer.

The network layer protocol - ARP, IP, or RARP - again encapsulates the data and sends it to the link layer, and the device driver yet again encapsulates the data and then uses the NIC to send the data onto the network.

Frame Structure, Frame Types

The frame header has a six byte hardware destination address, a six byte hardware source address, and a two byte frame type field. (With the less used IEEE encapsulation the frame type occurs later in the frame.) The contents of the frame follow immediately after the frame type field.

Xframe recognises the three common frame types ARP, IP, and RARP, each corresponding to a network layer protocol.


Xframe displays ARP and RARP frames in the same window as the formats for both are identical. ARP (Address Resolution Protocol) is used to couple hardware addresses with IP addresses while RARP, the 'reverse' ARP protocol works the other way around.

IP Datagrams

IP datagrams are 46 - 1500 bytes in length (38 - 1492 bytes for the IEEE encapsulation type). Only the IP datagram contains the source and destination IP addresses for the frame. The total length of the IP datagram header, barring any optional data, is five doublewords (20 bytes).


ICMP (Internet Control Message Protocol) is often used to report networking errors. It is also used for well known applications such as PING and Traceroute. You can also see ICMP in action immediately your computer makes a dialup connection - 'router solicit' messages are sent to multicast addresses in the 224 E-class range.

The format of the ICMP frame can vary greatly but the first two fields are always the same and are always used to denote the frame type. Frames generated by network errors often include the complete IP header and the first eight bytes of the IP datagram.


IGMP (Internet Group Message Protocol) groups hosts to routers with subnet masks. It is very seldom seen in stand-alone use of Xframe.

Unlike other datagrams, IGMP has a fixed size header - no options - and this header is always eight bytes.


TCP (Transmission Control Protocol) is the logic which makes the IP work in a reliable virtual circuit. It is with TCP that we see many of the common Internet services of today such as FTP, HTTP, POP and SMTP. By binding these services to well-known ports, the network IP layer can demultiplex data to its intended recipients.

The TCP header - without options - is twenty bytes.

The eight TCP flags show how a secure TCP connection is both established and ended. The sequence number helps trace the conversation, as does the acknowledgement number. The ports define what the conversation is all about. Use of port 21 indicates FTP, port 80 HTTP, port 110 POP, port 25 SMTP, and so forth.


UDP (User Datagram Protocol) is an unreliable protocol. If TCP is a telephone conversation then UDP is a telegram: data is sent but the protocol cannot know if it arrives - or arrives more than once.

DNS queries (port 53) are a common use of UDP. Ping and traceroute can also use UDP.

Philosophy of Xframe

The key to Xframe is 'raw data'. The TCP/IP stack is not even used and the sockets API is completely ignored. What you see is what you get.

But in inimitable Rixstep tradition you also see 'everything'. Pains have been taken to recognise all known forms of data at this lowest possible level and to correctly format them. For example, IGMP data is seldom seen, yet it can occur, and so it is included.

And while as little as possible is done to 'doctor' the data so you know that what you are seeing is exactly what you get, conveniences have been built in to make it easier to study this data.

Auto Prune

Xframe will automatically keep each of its seven window listings at 500 rows or less - this to prevent the application from 'hogging' too much RAM as time goes by.

You can clear all windows by clicking the 'clear' button on the toolbar.

Viewing Raw Data

Double click any row item in any window to view the raw frame data.

Synchronising Views

To see the 'big picture' for any given frame, select an item in any window and choose Sync (⌘=) on the menu or on the toolbar. Xframe highlights all corresponding items in all other windows.

The Xframe Log

Xframe can log all packets to disk complete with hexadecimal and character representation and full data from all demultiplexing levels.

About | ACP | Get Stuff | Industry Watch | Learning Curve | Newsletter | Search | Test Drive
Copyright © Rixstep. All rights reserved.