UDP Header DNS

Bit Number Bit Number

Acronyms
1111111111222222222233 1 1 1 1 1 1
01234567890123456789012345678901 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 AH Authentication Header (RFC 2402)
Source Port Destination Port ID. ARP Address Resolution Protocol (RFC 826)
Length Checksum QR Opcode AA TC RD RA Z RCODE BGP Border Gateway Protocol (RFC 1771) Champlain College
QDCOUNT CWR Congestion Window Reduced (RFC 2481) Gary C. Kessler
DF Don't Fragment bit (IP)
UDP Header information
--------------------------------------
ANCOUNT
DHCP Dynamic Host Configuration Protocol (RFC 2131) +1 802-865-6460
NSCOUNT
Common UDP Well-Known Server Ports DNS Domain Name System (RFC 1035) gary.kessler@champlain.edu
7 echo 138 netbios-dgm ARCOUNT ECN Explicit Congestion Notification (RFC 3168)
19 chargen 161 snmp http://digitalforensics.champlain.edu
37 time 162 snmp-trap
Question Section EIGRP Extended IGRP (Cisco)
53 domain 500 isakmp Answer Section ESP Encapsulating Security Payload (RFC 2406)
67 bootps (DHCP) 514 syslog
Authority Section FTP File Transfer Protocol (RFC 959)
68 bootpc (DHCP) 520 rip GRE Generic Routing Encapsulation (RFC 2784)
69 tftp 33434 traceroute Additional Information Section
137 netbios-ns
Length (Number of bytes in entire datagram
including header; minimum value = 8)
HTTP
ICMP
Hypertext Transfer Protocol (RFC 1945)
Internet Control Message Protocol (RFC 792) TCP/IP and tcpdump
DNS Parameters IGMP Internet Group Management Protocol (RFC 2236)
Checksum (Covers pseudo-header and entire
UDP datagram)
--------------------------------------
Query/Response
IGRP
IMAP
Interior Gateway Routing Protocol (Cisco)
Internet Message Access Protocol (RFC 2060)
Pocket Reference Guide
0 Query
1 Response IP Internet Protocol (RFC 791)
Opcode ISAKMP Internet Security Association & Key Management
0 Standard query (QUERY) Protocol (RFC 2408)
ARP
1 Inverse query (IQUERY)
L2TP Layer 2 Tunneling Protocol (RFC 2661) tcpdump Usage
2 Server status request (STATUS)
AA (1 = Authoritative Answer) NNTP Network News Transfer Protocol (RFC 977)
Bit Number
1111111111222222222233 TC (1 = TrunCation) OSPF Open Shortest Path First (RFC 1583) tcpdump [-aenStvx] [-F file]
01234567890123456789012345678901 RD (1 = Recursion Desired) POP3 Post Office Protocol v3 (RFC 1460)
RA (1 = Recursion Available) [-i int] [-r file] [-s snaplen]
Hardware Address Type Protocol Address Type Z (Reserved; set to 0) RFC Request for Comments
Response code RIP Routing Information Protocol (RFC 2453) [-w file] ['filter_expression']
H/w Addr Len Prot. Addr Len Operation
0 No error LDAP Lightweight Directory Access Protocol (RFC 2251)
Source Hardware Address 1 Format error
2 Server failure
SKIP Simple Key management for Internet Protocols -e Display data link header.
Source Hardware Addr (cont.) Source Protocol Address
3 Non-existant domain (NXDOMAIN) SMTP Simple Mail Transfer Protocol (RFC 821) -F Filter expression in file.
Source Protocol Addr (cont.) Target Hardware Address 4 Query type not implemented SNMP Simple Network Management Protocol (RFC 1157)
5 Query refused SSH Secure Shell -i Listen on int interface.
Target Hardware Address (cont.) QDCOUNT (No. of entries in Question section)
ANCOUNT (No. of resource records in Answer section) SSL Secure Sockets Layer (Netscape) -n Don't resolve IP addresses.
Target Protocol Address
NSCOUNT (No. of name server resource records in TCP Transmission Control Protocol (RFC 793) -r Read packets from file.
Authority section) TFTP Trivial File Transfer Protocol (RFC 1350) -s Get snaplen bytes from each
ARCOUNT (No. of resource records in Additional
ARP Parameters (for Ethernet and IPv4) TOS Type of Service field (IP)
--------------------------------------
Information section.
UDP User Datagram Protocol (RFC 768)
packet.
Hardware Address Type -S Use absolute TCP sequence
1 Ethernet
6 IEEE 802 LAN numbers.
Protocol Address Type -t Don't print timestamp.
2048 IPv4 (0x0800)
Hardware Address Length -v Verbose mode.
6 for Ethernet/IEEE 802 All TCP/IP parameters can be found at -w Write packets to file.
Protocol Address Length
4 for IPv4 http://www.iana.org/numbers.htm. All RFCs can be found at -x Display in hex.
Operation
1 Request http://www.rfc-editor.org. -X Display in hex and ASCII.
2 Reply

© 2002-2006, Gary Kessler

 ICMP IP Header TCP Header
Bit Number Bit Number Bit Number
1111111111222222222233 1 1 1 1 1 1 1 1 11 2 2 2 2 2 2 2 2 2 2 3 3 1111111111222222222233
01234567890123456789012345678901 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 01234567890123456789012345678901
Version IHL Type of Service Total Length Source Port Destination Port
Type Code Checksum
Identification Flags Fragment Offset Sequence Number
Other message-specific information...
Time to Live Protocol Header Checksum Acknowledgment Number
Source Address Offset Reserved Flags Window
Destination Address Checksum Urgent Pointer
Type Name/Codes (Code=0 unless otherwise specified)
---- ---------------------------------------------- Options (optional) Options (optional)
0 Echo Reply
3 Destination Unreachable
0 Net Unreachable
IP Header Contents
1 Host Unreachable
2 Protocol Unreachable --------------------------------------------------------
TCP Header Contents
3 Port Unreachable Version
---------------------------------------------
4 Fragmentation Needed & DF Set 4 IP version 4
Common TCP Well-Known Server Ports
5 Source Route Failed Internet Header Length
6 Destination Network Unknown 7 echo 110 pop3
Number of 32-bit words in IP header; minimum
7 Destination Host Unknown 19 chargen 111 sunrpc
value = 5 (20 bytes) & maximum value = 15 (60 bytes)
8 Source Host Isolated 20 ftp-data 119 nntp
Type of Service (PreDTRCx) --> Differentiated Services
9 Network Administratively Prohibited 21 ftp-control 139 netbios-ssn
10 Host Administratively Prohibited Precedence (000-111) 000
22 ssh 143 imap
11 Network Unreachable for TOS D (1 = minimize delay) 0
23 telnet 179 bgp
12 Host Unreachable for TOS T (1 = maximize throughout) 0
13 Communication Administratively Prohibited
25 smtp 389 ldap
R (1 = maximize reliability) 0
4 Source Quench 53 domain 443 https (ssl)
C (1 = minimize cost) 1 = ECN capable
5 Redirect 79 finger 445 microsoft-ds
x (reserved and set to 0) 1 = congestion experienced
0 Redirect Datagram for the Network 80 http 1080 socks
1 Redirect Datagram for the Host
Total Length
Offset
2 Redirect Datagram for the TOS & Network Number of bytes in packet; maximum length = 65,535
Number of 32-bit words in TCP header;
3 Redirect Datagram for the TOS & Host Flags (xDM)
minimum value = 5
8 Echo x (reserved and set to 0)
9 Router Advertisement Reserved
D (1 = Don't Fragment)
10 Router Selection 4 bits; set to 0
M (1 = More Fragments)
11 Time Exceeded ECN bits (used when ECN employed; else 00)
Fragment Offset
0 Time to Live exceeded in Transit CWR (1 = sender has cut congestion
1 Fragment Reassembly Time Exceeded Position of this fragment in the original datagram,
window in half)
12 Parameter Problem in units of 8 bytes
ECN-Echo (1 = receiver cuts congestion
0 Pointer indicates the error Protocol
window in half)
1 Missing a Required Option 1 ICMP 17 UDP 57 SKIP
2 Bad Length Flags (UAPRSF)
2 IGMP 47 GRE 88 EIGRP
13 Timestamp U (1 = Urgent pointer valid)
6 TCP 50 ESP 89 OSPF
14 Timestamp Reply A (1 = Acknowledgement field value valid)
9 IGRP 51 AH 115 L2TP
15 Information Request P (1 = Push data)
16 Information Reply Header Checksum
R (1 = Reset connection)
17 Address Mask Request Covers IP header only
S (1 = Synchronize sequence numbers)
18 Address Mask Reply Addressing
30 Traceroute
F (1 = no more data; Finish connection)
NET_ID RFC 1918 PRIVATE ADDRESSES
Checksum
0-127 Class A 10.0.0.0-10.255.255.255
Covers pseudoheader and entire TCP segment
128-191 Class B 172.16.0.0-172.31.255.255
Urgent Pointer
192-223 Class C 192.168.0.0-192.168.255.255
PING (Echo/Echo Reply) 224-239 Class D (multicast)
Points to the sequence number of the byte
following urgent data.
Bit Number 240-255 Class E (experimental)
Options
1111111111222222222233 HOST_ID
01234567890123456789012345678901 0 End of Options list 3 Window scale
0 Network value; broadcast (old)
1 No operation (pad) 4 Selective ACK ok
Type (8 or 0) Code (0) Checksum 255 Broadcast
2 Maximum segment size 8 Timestamp
Options (0-40 bytes; padded to 4-byte boundary)
Identifier Sequence Number 0 End of Options list 68 Timestamp
Data... 1 No operation (pad) 131 Loose source route
7 Record route 137 Strict source route