chapter 10 packet

7/30/2019 Chapter 10 Packet

1/28

PACKET ANALYSIS

Chapter

10


2/28

TCP/IP Layering

TCP/IP architecture consists of several layersperforming certain functions.

Each layer is responsible for different part of thecommunications and contains protocols.

There are four general layers of the TCP/IP stack :

1) Data-link layer

2) Network / Internet layer

3) Transport layer4) Application layer

Data link layer


3/28

Data-link Layer

This layer is the lowest layer in the TCP/IP stack andimplemented within the network interface card and its

device driver.

It handles all the physical interfaces of the transmission

medium.


4/28

Network Layer

This layer also known as Internet Layer. It handles thedelivery of packets around the network from source to

destination, such as routing.

The primary protocol involved in this layer is an Internet

Protocol (IP).


5/28

Transport Layer

This layer provides flow of data between two computers. It provides two types of services to the Application Layer

:

1) connection-oriented service - provided by the TCP

(Transmission Control Protocol) 2) connectionless service - provided by the UDP (User

Datagram Protocol)


6/28

Application Layer

This layer is the top layer in TCP/IP stack.

It handles the details of each user application program or

process.

Example of application layer protocols :

File Transfer Protocol (FTP)

Simple Mail Transfer Protocol (SMTP)

Hypertext Transfer Protocol (HTTP)


7/28

Encapsulation

Encapsulation is a process that occurs whenever the data flowsdown from one layer to another. It indicates that the data is sentdown the TCP/IP protocol stack through each of the four layers. Eachlayer will append the header and trailer (if any) to the data when thedata get through it.

Decapsulation is a process that occurs whenever the data flowsup from one layer to another. It indicates that the data is sent up theTCP/IP protocol stack through each of the four layers. Each layer willremove the header and trailer (if any) from the data when the dataget through it.

The unit of data that TCP sends to IP is called TCP segment.

The unit of data that UDP sends to IP is called UDP datagram.

The unit of data that IP sends to the network interface is calledpacket or IP datagram.

The data that flows across Ethernet is called Frame.


8/28


9/28

Packet Filtering

Packet filtering is a process of capturing and filteringthe traffic of TCP/IP packets that traverse in thenetwork, in a consistent way.

Most of the packet filtering softwares displayed theTCP/IP packet structure in hexadecimal format.

It displays the data in hexadecimal using two-bytechunks. For example, the first ten bytes would berepresented by five chunks like this :

xxxx xxxx xxxx xxxx xxxx

1 hex chunk = 2 bytes


10/28

TCP/IP

All TCP/IP packet structure, starts with the IP header,

followed by TCP header or UDP header. This means that the

structure for each of TCP and UDP packets must begin

with the IP header structure.

TCP Segment encapsulated in IP Datagram UDP Datagram encapsulated in IP Datagram


11/28

Internet Protocol (IP)

IP is an important protocol of the TCP/IP protocol suite. The function or purpose of this protocol is to move IP

datagrams through an interconnected network.

All TCP and UDP data is transmitted as an IP

datagrams.


12/28

Internet Protocol (IP) cont

The structure of IP datagram

4 bytes

Structure of IP Datagram from RFC 791


13/28


The normal size of the IP header without options is 20bytes. If options are present, then the normal size of the

IP header will be 60 bytes.

The maximum size of IP datagram (the total of IP

header + data) is 65535 bytes.


14/28


IP header will be followed by either TCP header or UDPheader to forms an IP datagram.

TCP header takes up the next 20 bytes after the

IP header, and

UDP header takes up the next 8 bytes after the IPheader.


15/28


One hexadecimal chunkgives the value of2 bytes. The normal size of an IP header without options is 20

bytes.

So, IP headeris the first 10 hexadecimal chunks.


16/28


..


17/28

Transmission Control Protocol (TCP)

TCP is a transport layer protocol and it provides a connection-

oriented and reliable service to the application layer.

Information passed by TCP to IP is called a TCP segment and it is

encapsulated within an IP datagram as shown in Figure.

TCP Segment encapsulated in IP Datagram


18/28

TCP..cont

TCP segment is located after the IP header. Therefore, IP header willhave a protocol number of 6 in order to indicate that the following data

is TCP segment. TCP segment can be broken down into two parts that

are TCP header and TCP data.The structure of TCP segment (RFC

793) is shown below :

TCP segment


19/28

IP datagram (TCP)

TCP segment located after the IP header

IP header

TCP header TCP

Segment

IP

datagram

= 6


20/28

TCP..cont

As mentioned before, the normal size of TCP header is 20 bytes. If this TCPheader is translated in the forms of a chunk of hexadecimal, then it can be seenthat, TCP header is the first 10 hexadecimal chunks, located after the IPheader, followed by the TCP data as in the figure :

TCP Header


21/28

User Datagram Protocol (UDP)

UDP is also a transport layer service but it is simpler thanTCP.

It provides a connectionless and unreliable service since it

does not issue acknowledgements to the sender upon

receipt of data nor does it inform the sender that datawas lost.


22/28

UDPcont.

As mentioned before, the information passed by UDP

to IP is called a UDP datagram and it is encapsulated

within an IP datagram as shown in Figure below :

UDP Datagram encapsulated in IP Datagram


23/28

UDPcont.

UDP datagram is located after the IP header. Therefore, IP header willhave a protocol number of 17, to indicate that the following data is UDP

datagram. UDP datagram can generally be broken down into two parts that

are UDP header and UDP data. The UDP header is short and simple.

The normal size of the UDP header is 8 bytes, which consists of sourceand destination port numbers, UDP length and checksum.

UDP Datagram


24/28

IP datagram (UDP)

UDP datagram located after the IP header = IP datagram

IP header

UDP

header UDPdatagram

IP

datagram


25/28

UDPcont.

The normal size of UDP header is 8 bytes. If this UDP header is

translated in the forms of a chunk of hexadecimal, UDP header is the first 4

hexadecimal chunks, located after the IP header, followed by the

UDP data, as shown in Figure, below :

Refer to Attachment 3

UDP Header


26/28

Port numbers and Services

SERVICES PORTNUMBER

File Transfer Protocol (FTP) 21

Telnet 23

Hypertext Transfer Protocol (HTTP) 80

Simple Mail Transfer Protocol (SMTP) 25

Domain Name System (DNS) 53


27/28

Exercise 1

4500 003c 0a66 4000 4006 a320 cfac 6ec5

cf7e 7f45 04c5 0050 801e 78e3 0000 0000

a009 3fc4 fe70 0000/ 0204 05cc 0402 080a0014 7e59 0000 0000 0103 0300

Consider option = none.

You need to identify :

1) Version of IP =2) Protocol field =3) Source / Sender IP address =

4) Destination / Receiver IP address =5) Source Port number =

6) Destination Port number =7) Sequence number =8) Acknowledgement number =9) Reserved and Flag bits =10) Services running =


28/28

Invalid PacketsHow do you know if the packet is an invalid packet?

1) Packet too long (> 65,535 bytes) or too short ( 65,535.

11) etc ?

chapter 10 packet

Documents