Upload
calvin-ohsey
View
229
Download
0
Embed Size (px)
Citation preview
7/30/2019 Chapter 10 Packet
1/28
PACKET ANALYSIS
Chapter
10
7/30/2019 Chapter 10 Packet
2/28
TCP/IP Layering
TCP/IP architecture consists of several layersperforming certain functions.
Each layer is responsible for different part of thecommunications and contains protocols.
There are four general layers of the TCP/IP stack :
1) Data-link layer
2) Network / Internet layer
3) Transport layer4) Application layer
Data link layer
7/30/2019 Chapter 10 Packet
3/28
Data-link Layer
This layer is the lowest layer in the TCP/IP stack andimplemented within the network interface card and its
device driver.
It handles all the physical interfaces of the transmission
medium.
7/30/2019 Chapter 10 Packet
4/28
Network Layer
This layer also known as Internet Layer. It handles thedelivery of packets around the network from source to
destination, such as routing.
The primary protocol involved in this layer is an Internet
Protocol (IP).
7/30/2019 Chapter 10 Packet
5/28
Transport Layer
This layer provides flow of data between two computers. It provides two types of services to the Application Layer
:
1) connection-oriented service - provided by the TCP
(Transmission Control Protocol) 2) connectionless service - provided by the UDP (User
Datagram Protocol)
7/30/2019 Chapter 10 Packet
6/28
Application Layer
This layer is the top layer in TCP/IP stack.
It handles the details of each user application program or
process.
Example of application layer protocols :
File Transfer Protocol (FTP)
Simple Mail Transfer Protocol (SMTP)
Hypertext Transfer Protocol (HTTP)
7/30/2019 Chapter 10 Packet
7/28
Encapsulation
Encapsulation is a process that occurs whenever the data flowsdown from one layer to another. It indicates that the data is sentdown the TCP/IP protocol stack through each of the four layers. Eachlayer will append the header and trailer (if any) to the data when thedata get through it.
Decapsulation is a process that occurs whenever the data flowsup from one layer to another. It indicates that the data is sent up theTCP/IP protocol stack through each of the four layers. Each layer willremove the header and trailer (if any) from the data when the dataget through it.
The unit of data that TCP sends to IP is called TCP segment.
The unit of data that UDP sends to IP is called UDP datagram.
The unit of data that IP sends to the network interface is calledpacket or IP datagram.
The data that flows across Ethernet is called Frame.
7/30/2019 Chapter 10 Packet
8/28
7/30/2019 Chapter 10 Packet
9/28
Packet Filtering
Packet filtering is a process of capturing and filteringthe traffic of TCP/IP packets that traverse in thenetwork, in a consistent way.
Most of the packet filtering softwares displayed theTCP/IP packet structure in hexadecimal format.
It displays the data in hexadecimal using two-bytechunks. For example, the first ten bytes would berepresented by five chunks like this :
xxxx xxxx xxxx xxxx xxxx
1 hex chunk = 2 bytes
7/30/2019 Chapter 10 Packet
10/28
TCP/IP
All TCP/IP packet structure, starts with the IP header,
followed by TCP header or UDP header. This means that the
structure for each of TCP and UDP packets must begin
with the IP header structure.
TCP Segment encapsulated in IP Datagram UDP Datagram encapsulated in IP Datagram
7/30/2019 Chapter 10 Packet
11/28
Internet Protocol (IP)
IP is an important protocol of the TCP/IP protocol suite. The function or purpose of this protocol is to move IP
datagrams through an interconnected network.
All TCP and UDP data is transmitted as an IP
datagrams.
7/30/2019 Chapter 10 Packet
12/28
Internet Protocol (IP) cont
The structure of IP datagram
4 bytes
Structure of IP Datagram from RFC 791
7/30/2019 Chapter 10 Packet
13/28
Internet Protocol (IP) cont
The normal size of the IP header without options is 20bytes. If options are present, then the normal size of the
IP header will be 60 bytes.
The maximum size of IP datagram (the total of IP
header + data) is 65535 bytes.
7/30/2019 Chapter 10 Packet
14/28
Internet Protocol (IP) cont
IP header will be followed by either TCP header or UDPheader to forms an IP datagram.
TCP header takes up the next 20 bytes after the
IP header, and
UDP header takes up the next 8 bytes after the IPheader.
7/30/2019 Chapter 10 Packet
15/28
Internet Protocol (IP) cont
One hexadecimal chunkgives the value of2 bytes. The normal size of an IP header without options is 20
bytes.
So, IP headeris the first 10 hexadecimal chunks.
7/30/2019 Chapter 10 Packet
16/28
Internet Protocol (IP) cont
..
7/30/2019 Chapter 10 Packet
17/28
Transmission Control Protocol (TCP)
TCP is a transport layer protocol and it provides a connection-
oriented and reliable service to the application layer.
Information passed by TCP to IP is called a TCP segment and it is
encapsulated within an IP datagram as shown in Figure.
TCP Segment encapsulated in IP Datagram
7/30/2019 Chapter 10 Packet
18/28
TCP..cont
TCP segment is located after the IP header. Therefore, IP header willhave a protocol number of 6 in order to indicate that the following data
is TCP segment. TCP segment can be broken down into two parts that
are TCP header and TCP data.The structure of TCP segment (RFC
793) is shown below :
TCP segment
7/30/2019 Chapter 10 Packet
19/28
IP datagram (TCP)
TCP segment located after the IP header
IP header
TCP header TCP
Segment
IP
datagram
= 6
7/30/2019 Chapter 10 Packet
20/28
TCP..cont
As mentioned before, the normal size of TCP header is 20 bytes. If this TCPheader is translated in the forms of a chunk of hexadecimal, then it can be seenthat, TCP header is the first 10 hexadecimal chunks, located after the IPheader, followed by the TCP data as in the figure :
TCP Header
7/30/2019 Chapter 10 Packet
21/28
User Datagram Protocol (UDP)
UDP is also a transport layer service but it is simpler thanTCP.
It provides a connectionless and unreliable service since it
does not issue acknowledgements to the sender upon
receipt of data nor does it inform the sender that datawas lost.
7/30/2019 Chapter 10 Packet
22/28
UDPcont.
As mentioned before, the information passed by UDP
to IP is called a UDP datagram and it is encapsulated
within an IP datagram as shown in Figure below :
UDP Datagram encapsulated in IP Datagram
7/30/2019 Chapter 10 Packet
23/28
UDPcont.
UDP datagram is located after the IP header. Therefore, IP header willhave a protocol number of 17, to indicate that the following data is UDP
datagram. UDP datagram can generally be broken down into two parts that
are UDP header and UDP data. The UDP header is short and simple.
The normal size of the UDP header is 8 bytes, which consists of sourceand destination port numbers, UDP length and checksum.
UDP Datagram
7/30/2019 Chapter 10 Packet
24/28
IP datagram (UDP)
UDP datagram located after the IP header = IP datagram
IP header
UDP
header UDPdatagram
IP
datagram
7/30/2019 Chapter 10 Packet
25/28
UDPcont.
The normal size of UDP header is 8 bytes. If this UDP header is
translated in the forms of a chunk of hexadecimal, UDP header is the first 4
hexadecimal chunks, located after the IP header, followed by the
UDP data, as shown in Figure, below :
Refer to Attachment 3
UDP Header
7/30/2019 Chapter 10 Packet
26/28
Port numbers and Services
SERVICES PORTNUMBER
File Transfer Protocol (FTP) 21
Telnet 23
Hypertext Transfer Protocol (HTTP) 80
Simple Mail Transfer Protocol (SMTP) 25
Domain Name System (DNS) 53
7/30/2019 Chapter 10 Packet
27/28
Exercise 1
4500 003c 0a66 4000 4006 a320 cfac 6ec5
cf7e 7f45 04c5 0050 801e 78e3 0000 0000
a009 3fc4 fe70 0000/ 0204 05cc 0402 080a0014 7e59 0000 0000 0103 0300
Consider option = none.
You need to identify :
1) Version of IP =2) Protocol field =3) Source / Sender IP address =
4) Destination / Receiver IP address =5) Source Port number =
6) Destination Port number =7) Sequence number =8) Acknowledgement number =9) Reserved and Flag bits =10) Services running =
7/30/2019 Chapter 10 Packet
28/28
Invalid PacketsHow do you know if the packet is an invalid packet?
1) Packet too long (> 65,535 bytes) or too short ( 65,535.
11) etc ?