I would guess it all starts with a packet capture using something like Ethereal or Sniffer. But once you have the data, how would you go about determining where frames and headers begin and end? And what is the methodology used to decrypt the data in those if they are encrypted?