Chapter

10

PACKET ANALYSIS

TCP/IP Layering

TCP/IP architecture consists of several layers performing certain functions. Each layer is responsible for different part of the communications and contains protocols. There are four general layers of the TCP/IP stack : 1) Data-link layer 2) Network / Internet layer 3) Transport layer 4) Application layer
Data link layer

Data-link Layer

This layer is the lowest layer in the TCP/IP stack and implemented within the network interface card and its device driver. It handles all the physical interfaces of the transmission medium.

Network Layer

This layer also known as Internet Layer. It handles the delivery of packets around the network from source to destination, such as routing. The primary protocol involved in this layer is an Internet Protocol (IP).

Transport Layer

This layer provides flow of data between two computers. It provides two types of services to the Application Layer :

1) connection-oriented service - provided by the TCP (Transmission Control Protocol) 2) connectionless service - provided by the UDP (User Datagram Protocol)

Application Layer

This layer is the top layer in TCP/IP stack. It handles the details of each user application program or process. Example of application layer protocols :

File Transfer Protocol (FTP) Simple Mail Transfer Protocol (SMTP) Hypertext Transfer Protocol (HTTP)

Encapsulation

Encapsulation is a process that occurs whenever the data flows down from one layer to another. It indicates that the data is sent down the TCP/IP protocol stack through each of the four layers. Each layer will append the header and trailer (if any) to the data when the data get through it. Decapsulation is a process that occurs whenever the data flows up from one layer to another. It indicates that the data is sent up the TCP/IP protocol stack through each of the four layers. Each layer will remove the header and trailer (if any) from the data when the data get through it. The unit of data that TCP sends to IP is called TCP segment. The unit of data that UDP sends to IP is called UDP datagram. The unit of data that IP sends to the network interface is called packet or IP datagram. The data that flows across Ethernet is called Frame.

Core Protocols

There are 3 important TCP/IP protocols discussed here: IP, TCP and UDP. TCP and UDP send data to IP. In order for IP to identify which protocol sent the data, it must add a value to the protocol field in the IP header. The value are : 06 (hex) or 6 (dec) for TCP 11 (hex) or 17 (dec) for UDP

Packet Filtering

Packet filtering is a process of capturing and filtering the traffic of TCP/IP packets that traverse in the network, in a consistent way. Most of the packet filtering softwares displayed the TCP/IP packet structure in hexadecimal format. It displays the data in hexadecimal using two-byte chunks. For example, the first ten bytes would be represented by five chunks like this : xxxx xxxx xxxx xxxx xxxx

1 hex chunk = 2 bytes

TCP/IP

All TCP/IP packet structure, starts with the IP header, followed by TCP header or UDP header. This means that the structure for each of TCP and UDP packets must begin with the IP header structure.

TCP Segment encapsulated in IP Datagram

UDP Datagram encapsulated in IP Datagram

Internet Protocol (IP)

IP is an important protocol of the TCP/IP protocol suite. The function or purpose of this protocol is to move IP datagrams through an interconnected network. All TCP and UDP data is transmitted as an IP datagrams.

Internet Protocol (IP) cont

The structure of IP datagram

4 bytes

Structure of IP Datagram from RFC 791

Internet Protocol (IP) cont

The normal size of the IP header without options is 20 bytes. If options are present, then the normal size of the IP header will be 60 bytes. The maximum size of IP datagram (the total of IP header + data) is 65535 bytes.

Internet Protocol (IP) cont

IP header will be followed by either TCP header or UDP header to forms an IP datagram. TCP header takes up the next 20 bytes after the IP header, and UDP header takes up the next 8 bytes after the IP header.

Internet Protocol (IP) cont

One hexadecimal chunk gives the value of 2 bytes. The normal size of an IP header without options is 20 bytes. So, IP header is the first 10 hexadecimal chunks.

Internet Protocol (IP) cont

..

Transmission Control Protocol (TCP)

TCP is a transport layer protocol and it provides a connectionoriented and reliable service to the application layer. Information passed by TCP to IP is called a TCP segment and it is encapsulated within an IP datagram as shown in Figure.

TCP Segment encapsulated in IP Datagram

TCP..cont

TCP segment is located after the IP header. Therefore, IP header will have a protocol number of 6 in order to indicate that the following data is TCP segment. TCP segment can be broken down into two parts that are TCP header and TCP data. The structure of TCP segment (RFC 793) is shown below :

TCP segment

IP datagram (TCP)
TCP segment located after the IP header

=6

IP header

IP datagram

TCP header

TCP Segment

TCP..cont
As mentioned before, the normal size of TCP header is 20 bytes. If this TCP header is translated in the forms of a chunk of hexadecimal, then it can be seen that, TCP header is the first 10 hexadecimal chunks, located after the IP header, followed by the TCP data as in the figure :

TCP Header

User Datagram Protocol (UDP)

UDP is also a transport layer service but it is simpler than TCP. It provides a connectionless and unreliable service since it does not issue acknowledgements to the sender upon receipt of data nor does it inform the sender that data was lost.

UDPcont.
As mentioned before, the information passed by UDP to IP is called a UDP datagram and it is encapsulated within an IP datagram as shown in Figure below :

UDP Datagram encapsulated in IP Datagram

UDPcont.

UDP datagram is located after the IP header. Therefore, IP header will have a protocol number of 17, to indicate that the following data is UDP datagram. UDP datagram can generally be broken down into two parts that are UDP header and UDP data. The UDP header is short and simple.

UDP Datagram

The normal size of the UDP header is 8 bytes, which consists of source and destination port numbers, UDP length and checksum.

IP datagram (UDP)
UDP datagram located after the IP header = IP datagram

IP datagram

IP header

UDP header

UDP datagram

UDPcont.

The normal size of UDP header is 8 bytes. If this UDP header is translated in the forms of a chunk of hexadecimal, UDP header is the first 4 hexadecimal chunks, located after the IP header, followed by the UDP data, as shown in Figure, below :
Refer to Attachment 3

UDP Header

Port numbers and Services

SERVICES
File Transfer Protocol (FTP)

PORT NUMBER 21 23
80 25 53

Telnet
Hypertext Transfer Protocol (HTTP) Simple Mail Transfer Protocol (SMTP) Domain Name System (DNS)

Exercise 1
4500 cf7e a009 0014 003c 0a66 4000 4006 7f45 04c5 0050 801e 3fc4 fe70 0000/ 0204 7e59 0000 0000 0103 a320 cfac 6ec5 78e3 0000 0000 05cc 0402 080a 0300

Consider option = none.

You need to identify : 1) Version of IP = 2) Protocol field = 3) Source / Sender IP address = 4) Destination / Receiver IP address = 5) Source Port number = 6) Destination Port number = 7) Sequence number = 8) Acknowledgement number = 9) Reserved and Flag bits = 10) Services running =

Invalid Packets
How do you know if the packet is an invalid packet? 1) Packet too long (> 65,535 bytes) or too short (<28 bytes). 2) flag bits = 0. 3) Invalid version number (current version = 4). 4) Destination address = Source address. 5) Reserved bit is ON. 6) Total length of packet exceed 65,535 bytes. 7) Padding not exist, so IP header do not ends on a 32 bit boundary. 8) The SYN and FIN flags is ON. 9) All flags bit is ON. 10) Port number for client > 65,535. 11) etc ?