packet analysis with wireshark arp, ip, tcp, udp, icmp kyu hyun choi
TRANSCRIPT
Packet Analysis with Wireshark
ARP, IP, TCP, UDP, ICMP
Kyu Hyun Choi
Wireshark?
Free and open-source network packet analyzer for Unix, Linux, Windows, OSX, BSD, Solaris and so on
https://www.wireshark.org/
What can we do with Wireshark
Network troubleshooting, analysis
Software and communications protocol develop-ment
Education
Hacking !
Getting Started
Download and install wireshark
Select Device
Start live capture
Captured Network
Packet list
Analyzed in-formation about the
packet
PacketRaw data
ARP
Address Resolution Protocol Telecommunication protocol used for resolution of net-
work layer addresses into link layer addresses
Convert IP address to a physical address(such as MAC address)
ARP – Packet structure
The length of the address fields is determined by the corresponding address length fields
ARP – Packet structure
Hardware type (HTYPE) Specifies the network protocol type. e.g. Ethernet = 1
Protocol type (PTYPE) Specifies the internet protocol for which the ARP request is in-
tended. For IPv4, this has the value 0x0800 Hardware address length (HLEN)
Length of a hardware address. Ethernet addresses size is 6. Protocol address length (PLEN)
Length of addresses used in the upper layer protocol (Speci-fied in PTYPE). IPv4 address size is 4.
ARP – Packet structure
Operation code Specifies the operation that the sender is performing. 1 for request, 2 for reply
Sender hardware address (SHA) ARP Request → Indicate the address of the host sending the request ARP reply → Indicate the address of the host that the request was looking for
Sender protocol address (SPA) Internetwork address of the sender
Target hardware address (THA) ARP Request → Ignored ARP Reply → Indicate the address of the host that originated the ARP request
Target protocol address (TPA) Internetwork address of the intended receiver
IP
Internet Protocol Unique global address for a network interface An IP address:
is a 32 bit long identifier (IPv4) encodes a network number and a host number
Network prefix and host number
The network prefix identifies a network The host number identifies a specific host
How do we know how long the network prefix is? The network prefix is indicated by a netmask
e.g. 255.255.255.0→ Network prefix is first 3 bytes, and last byte is host number
Notation: 163.152.73.70/24 Network prefix is 24 bits long
network prefix host number
IP datagram format
IP header fields
ver length
32 bits
Data (typically a TCP or UDP segment)
16-bit identifier
header checksum
time tolive
32 bit source IP address
IP protocol version num-ber
header length (bytes)
upper layer protocolto deliver payload to
total datagramlength (bytes)head.
lentype ofservice
“type” of data flags fragment offset
for fragmentation / re-assemblyupper
layermax number remaining hops
(decremented at each router)
32 bit destination IP address
Options (if any) E.g. timestamp, record route taken, specify list of routers to visit.
Checksum. Protect the header of IP data pack-ets against data cor-ruption
IP header Analysis with Wireshark
• IP is in Network Layer• So IP packets are padded
by lower layer protocols
• First 12 Bytes are Ether-net header
• Source and destination MAC address
IP header Analysis with Wireshark
IPv4 header fields 20bytes
0x45 = 0100 0101 0100 = 4 (Version: 4) 0101 = 5
(5 × 4B (1 word) = 20B)
0x00 = 0000 0000 Type of service
Nothing special
IP header Analysis with Wireshark
0x05dc = 1500 Total length
0xf146 = 61766 Identification
0x40 = 010 0 0000 010: Bit vector
(Reserved bit)(Don’t fragment)(More fragment)
00000: fragment offset 0x2e = 46
Time To Live
IP header Analysis with Wireshark
0x06 = 6 (TCP) Upper layer protocol is TCP
0xcdb9 Checksum
0x3a7860c5: 58.120.96.197 Source IP
0xa3984946: 163.152.73.70 Destination IP
IP Checksum calculation
Divide IP header field into 2 bytes segment Assume that checksum bytes are 0x0000 Add all byte segments
The sum is 0x00 03 32 43 in this case Add the carries to lower 2 bytes of the sum
0x0003 + 0x3243 = 0x3246 Take 1’s complement
0x3246 = 0011 0010 0100 0110 → 1100 1101 1011 1001 = 0xcdb9
Profit!!!
Transport Layer Protocols
TCP – Transmission Control Pro-tocol
Stream oriented Reliable, connection-oriented Complex Only unicast Used for most internet applica-
tions: Web (http), email (smtp), file
transfer (ftp), terminal (telnet), etc.
UDP – User Datagram Protocol Datagram oriented Unreliable, connectionless Simple Unicast and multicast Useful only for few applications
e.g. Multimedia applications Used a lot for services
Network management (SNMP), routing (RIP), naming (DNS), etc.
TCP
Transmission Control Protocol TCP is a connection-oriented protocol
It creates a virtual connection between two TCPs to send data
Uses flow and error control mechanism at the transport layer
Provides a reliable unicast end-to-end byte stream over an unreliable internetwork
TCP header format
TCP header fields
Port Number: A port number identifies the endpoint of a connection
(process) A pair <IP address, port number> identifies one end-
point of a connection
TCP
IP
Applications
23 10480Ports:
TCP
IP
Applications
7 1680 Ports:
TCP header fields
Sequence Number (Seq) Sequence number is 32 bits long So the range of sequence number is 0 ≤ seq ≤ 232 -1 Each sequence number identifies a byte in the byte
stream Initial Sequence Number (ISN) of a connection is set
during connection establishment
TCP header fields
Acknowledgement Number (Ack): Acknowledgements are piggybacked, i.e.
A segment from A → B can contain an acknowledgement for a data sent in the B → A direction
A host uses the Ack field to send acknowledgements If a host sends an Ack in a segment it sets the “ACK flag”
The Ack contains the next Seq that a hosts wants to re-ceive
e.g. The acknowledgement for a segment with Seq 0-1500 is Ack=1501
TCP header fields - Flags
TCP header fields
Window Size: Each side of the connection advertises the window size Window size is the maximum number of bytes that a re-
ceiver can accept Maximum window size is 216 – 1 = 65535 bytes
TCP checksum: TCP checksum covers over both TCP header and TCP data
Urgent Pointer: Only valid if URG flag is set
TCP header analysis with Wire-shark
TCP header analysis with Wire-shark
0x0050 = 80 Source port
0x1f53 = 8019 Destination port
TCP header analysis with Wire-shark
0xbe7c79b6 Sequence number
0xf4b7bd42 Ack number
0x5 = 5 Header length 5 × 4byte (1word) =
20bytes
TCP header analysis with Wire-shark
0x010 Flags Bit vector Acknowledgment
0x0036 Window size
0x26fb Checksum
0x0000 Urgent pointer
UDP
User Datagram Protocol Connectionless, unreliable transport protocol UDP merely extends the host-to-host delivery serivce of
IP datagram to an process-to-process service The only thing that UDP adds is multiplexing and de-
multiplexing
UDP format
UDP header fields
Port numbers identify sending and receiving pro-cesses
Total length is at least 8 bytes (i.e., Data field can be empty) and at most 65,535
Checksum is for header of UDP and some of the IP header fields (Pseudoheader)
Checksum Calculation
Checksum Calculatioin
UDP header analysis with Wire-shark
Ethernet header and IPv4 header is padded before UDP header
0xc93f Source port: 51519
0x079b Destination port: 1947
0x0030 Length: 48B (header + data)
0xdb48 Checksum
ICMP
Internet Control Message Protocol
Used by hosts & routers to communicate network-level information Error reporting: Unreach-
able host, network, port, protocol
Echo request/reply (used by ping)
Network-layer above IP: ICMP msgs carried in IP
datagrams
Type Code description0 0 echo reply (ping)3 0 dest. network unreachable3 1 dest host unreachable3 2 dest protocol unreachable3 3 dest port unreachable3 6 dest network unknown3 7 dest host unknown4 0 source quench (congestion control - not used)8 0 echo request (ping)9 0 route advertisement10 0 router discovery11 0 TTL expired12 0 bad IP header
ICMP Format
4 byte header Type (1byte): type of ICMP message Code (1byte): subtype of ICMP message Checksum (2bytes): similar to IP header checksum. Caculated
over entire ICMP message If there is no additional data, there are 4 bytes set to zero
Each ICMP messages is at least 8 bytes long
additional informationor
0x00000000
type code checksum
bit # 0 15 23 248 317 16
ICMP in TCP/IP
Special purpose message mechanism added to the TCP/IP protocols
ICMP is a network layer protocol, but its messages are first encapsulated into IP datagram
ICMP header analysis with Wire-shark
ICMP header analysis with Wire-shark
0x08 Type: 8
0x00 Code: 0
Echo (ping) request 0x4d53
Checksum 0x0001 0008
Additional information Identifier in this case Wireshark shows it into two
types Big endian, Little endian
Rest bits are data