Packet Analysis with Wireshark

ARP, IP, TCP, UDP, ICMP

Kyu Hyun Choi

Wireshark?

Free and open-source network packet analyzer for Unix, Linux, Windows, OSX, BSD, Solaris and so on

https://www.wireshark.org/

What can we do with Wireshark

Network troubleshooting, analysis

Software and communications protocol develop-ment

Education

Hacking !

Getting Started

Download and install wireshark

Select Device

Start live capture

Captured Network

Packet list

Analyzed in-formation about the

packet

PacketRaw data

ARP

Address Resolution Protocol Telecommunication protocol used for resolution of net-

work layer addresses into link layer addresses

Convert IP address to a physical address(such as MAC address)

ARP – Packet structure

The length of the address fields is determined by the corresponding address length fields

ARP – Packet structure

Hardware type (HTYPE) Specifies the network protocol type. e.g. Ethernet = 1

Protocol type (PTYPE) Specifies the internet protocol for which the ARP request is in-

tended. For IPv4, this has the value 0x0800 Hardware address length (HLEN)

Length of a hardware address. Ethernet addresses size is 6. Protocol address length (PLEN)

Length of addresses used in the upper layer protocol (Speci-fied in PTYPE). IPv4 address size is 4.

ARP – Packet structure

Operation code Specifies the operation that the sender is performing. 1 for request, 2 for reply

Sender hardware address (SHA) ARP Request → Indicate the address of the host sending the request ARP reply → Indicate the address of the host that the request was looking for

Sender protocol address (SPA) Internetwork address of the sender

Target hardware address (THA) ARP Request → Ignored ARP Reply → Indicate the address of the host that originated the ARP request

Target protocol address (TPA) Internetwork address of the intended receiver

IP

Internet Protocol Unique global address for a network interface An IP address:

is a 32 bit long identifier (IPv4) encodes a network number and a host number

Network prefix and host number

The network prefix identifies a network The host number identifies a specific host

How do we know how long the network prefix is? The network prefix is indicated by a netmask

e.g. 255.255.255.0→ Network prefix is first 3 bytes, and last byte is host number

Notation: 163.152.73.70/24 Network prefix is 24 bits long

network prefix host number

IP datagram format

IP header fields

ver length

32 bits

Data (typically a TCP or UDP segment)

16-bit identifier

header checksum

time tolive

32 bit source IP address

IP protocol version num-ber

header length (bytes)

upper layer protocolto deliver payload to

total datagramlength (bytes)head.

lentype ofservice

“type” of data flags fragment offset

for fragmentation / re-assemblyupper

layermax number remaining hops

(decremented at each router)

32 bit destination IP address

Options (if any) E.g. timestamp, record route taken, specify list of routers to visit.

Checksum. Protect the header of IP data pack-ets against data cor-ruption

IP header Analysis with Wireshark

• IP is in Network Layer• So IP packets are padded

by lower layer protocols

• First 12 Bytes are Ether-net header

• Source and destination MAC address

IP header Analysis with Wireshark

IPv4 header fields 20bytes

0x45 = 0100 0101 0100 = 4 (Version: 4) 0101 = 5

(5 × 4B (1 word) = 20B)

0x00 = 0000 0000 Type of service

Nothing special

IP header Analysis with Wireshark

0x05dc = 1500 Total length

0xf146 = 61766 Identification

0x40 = 010 0 0000 010: Bit vector

(Reserved bit)(Don’t fragment)(More fragment)

00000: fragment offset 0x2e = 46

Time To Live

IP header Analysis with Wireshark

0x06 = 6 (TCP) Upper layer protocol is TCP

0xcdb9 Checksum

0x3a7860c5: 58.120.96.197 Source IP

0xa3984946: 163.152.73.70 Destination IP

IP Checksum calculation

Divide IP header field into 2 bytes segment Assume that checksum bytes are 0x0000 Add all byte segments

The sum is 0x00 03 32 43 in this case Add the carries to lower 2 bytes of the sum

0x0003 + 0x3243 = 0x3246 Take 1’s complement

0x3246 = 0011 0010 0100 0110 → 1100 1101 1011 1001 = 0xcdb9

Profit!!!

Transport Layer Protocols

TCP – Transmission Control Pro-tocol

Stream oriented Reliable, connection-oriented Complex Only unicast Used for most internet applica-

tions: Web (http), email (smtp), file

transfer (ftp), terminal (telnet), etc.

UDP – User Datagram Protocol Datagram oriented Unreliable, connectionless Simple Unicast and multicast Useful only for few applications

e.g. Multimedia applications Used a lot for services

Network management (SNMP), routing (RIP), naming (DNS), etc.

TCP

Transmission Control Protocol TCP is a connection-oriented protocol

It creates a virtual connection between two TCPs to send data

Uses flow and error control mechanism at the transport layer

Provides a reliable unicast end-to-end byte stream over an unreliable internetwork

TCP header format

TCP header fields

Port Number: A port number identifies the endpoint of a connection

(process) A pair <IP address, port number> identifies one end-

point of a connection

TCP

IP

Applications

23 10480Ports:

TCP

IP

Applications

7 1680 Ports:

TCP header fields

Sequence Number (Seq) Sequence number is 32 bits long So the range of sequence number is 0 ≤ seq ≤ 232 -1 Each sequence number identifies a byte in the byte

stream Initial Sequence Number (ISN) of a connection is set

during connection establishment

TCP header fields

Acknowledgement Number (Ack): Acknowledgements are piggybacked, i.e.

A segment from A → B can contain an acknowledgement for a data sent in the B → A direction

A host uses the Ack field to send acknowledgements If a host sends an Ack in a segment it sets the “ACK flag”

The Ack contains the next Seq that a hosts wants to re-ceive

e.g. The acknowledgement for a segment with Seq 0-1500 is Ack=1501

TCP header fields - Flags

TCP header fields

Window Size: Each side of the connection advertises the window size Window size is the maximum number of bytes that a re-

ceiver can accept Maximum window size is 216 – 1 = 65535 bytes

TCP checksum: TCP checksum covers over both TCP header and TCP data

Urgent Pointer: Only valid if URG flag is set

TCP header analysis with Wire-shark

TCP header analysis with Wire-shark

0x0050 = 80 Source port

0x1f53 = 8019 Destination port

TCP header analysis with Wire-shark

0xbe7c79b6 Sequence number

0xf4b7bd42 Ack number

0x5 = 5 Header length 5 × 4byte (1word) =

20bytes

TCP header analysis with Wire-shark

0x010 Flags Bit vector Acknowledgment

0x0036 Window size

0x26fb Checksum

0x0000 Urgent pointer

UDP

User Datagram Protocol Connectionless, unreliable transport protocol UDP merely extends the host-to-host delivery serivce of

IP datagram to an process-to-process service The only thing that UDP adds is multiplexing and de-

multiplexing

UDP format

UDP header fields

Port numbers identify sending and receiving pro-cesses

Total length is at least 8 bytes (i.e., Data field can be empty) and at most 65,535

Checksum is for header of UDP and some of the IP header fields (Pseudoheader)

Checksum Calculation

Checksum Calculatioin

UDP header analysis with Wire-shark

Ethernet header and IPv4 header is padded before UDP header

0xc93f Source port: 51519

0x079b Destination port: 1947

0x0030 Length: 48B (header + data)

0xdb48 Checksum

ICMP

Internet Control Message Protocol

Used by hosts & routers to communicate network-level information Error reporting: Unreach-

able host, network, port, protocol

Echo request/reply (used by ping)

Network-layer above IP: ICMP msgs carried in IP

datagrams

Type Code description0 0 echo reply (ping)3 0 dest. network unreachable3 1 dest host unreachable3 2 dest protocol unreachable3 3 dest port unreachable3 6 dest network unknown3 7 dest host unknown4 0 source quench (congestion control - not used)8 0 echo request (ping)9 0 route advertisement10 0 router discovery11 0 TTL expired12 0 bad IP header

ICMP Format

4 byte header Type (1byte): type of ICMP message Code (1byte): subtype of ICMP message Checksum (2bytes): similar to IP header checksum. Caculated

over entire ICMP message If there is no additional data, there are 4 bytes set to zero

Each ICMP messages is at least 8 bytes long

additional informationor

0x00000000

type code checksum

bit # 0 15 23 248 317 16

ICMP in TCP/IP

Special purpose message mechanism added to the TCP/IP protocols

ICMP is a network layer protocol, but its messages are first encapsulated into IP datagram

ICMP header analysis with Wire-shark

ICMP header analysis with Wire-shark

0x08 Type: 8

0x00 Code: 0

Echo (ping) request 0x4d53

Checksum 0x0001 0008

Additional information Identifier in this case Wireshark shows it into two

types Big endian, Little endian

Rest bits are data