Packet Analysis with Wireshark
Download
Report
Transcript Packet Analysis with Wireshark
Packet Analysis with Wireshark
ARP, IP, TCP, UDP, ICMP
Kyu Hyun Choi
Wireshark?
Free and open-source network packet analyzer for Unix,
Linux, Windows, OSX, BSD, Solaris and so on
https://www.wireshark.org/
What can we do with Wireshark
Network troubleshooting, analysis
Software and communications protocol development
Education
Hacking !
Getting Started
Download and install wireshark
Select Device
Start live capture
Captured
Network Packet
list
Analyzed
information about
the packet
Packet
Raw data
ARP
Address Resolution Protocol
Telecommunication protocol used for resolution of network layer
addresses into link layer addresses
Convert IP address to a physical address
(such as MAC address)
ARP – Packet structure
The length of the address fields is determined by the corresponding address length fields
ARP – Packet structure
Hardware type (HTYPE)
Specifies the network protocol type. e.g. Ethernet = 1
Protocol type (PTYPE)
Specifies the internet protocol for which the ARP request is intended.
For IPv4, this has the value 0x0800
Hardware address length (HLEN)
Length of a hardware address. Ethernet addresses size is 6.
Protocol address length (PLEN)
Length of addresses used in the upper layer protocol (Specified in
PTYPE). IPv4 address size is 4.
ARP – Packet structure
Operation code
Specifies the operation that the sender is performing.
1 for request, 2 for reply
Sender hardware address (SHA)
ARP Request → Indicate the address of the host sending the request
ARP reply → Indicate the address of the host that the request was looking for
Sender protocol address (SPA)
Internetwork address of the sender
Target hardware address (THA)
ARP Request → Ignored
ARP Reply → Indicate the address of the host that originated the ARP request
Target protocol address (TPA)
Internetwork address of the intended receiver
IP
Internet Protocol
Unique global address for a network interface
An IP address:
is a 32 bit long identifier (IPv4)
encodes a network number and a host number
Network prefix and host number
The network prefix identifies a network
The host number identifies a specific host
network prefix
host number
How do we know how long the network prefix is?
The network prefix is indicated by a netmask
e.g. 255.255.255.0
→ Network prefix is first 3 bytes, and last byte is host number
Notation: 163.152.73.70/24
Network prefix is 24 bits long
IP datagram format
IP header fields
IP protocol version number
header length (bytes)
“type” of data
max number remaining hops
(decremented at each router)
32 bits
type of
ver head.
len service
length
fragment
16-bit identifier flags
offset
upper
time to
header
layer
live
checksum
32 bit source IP address
upper layer protocol
to deliver payload to
total datagram
length (bytes)
for fragmentation / reassembly
Checksum. Protect the
header of IP data packets
against data corruption
32 bit destination IP address
Options (if any)
Data
(typically a TCP
or UDP segment)
E.g. timestamp, record route
taken, specify list of routers to
visit.
IP header Analysis with Wireshark
• IP is in Network Layer
• So IP packets are padded by
lower layer protocols
• First 12 Bytes are Ethernet
header
• Source and destination MAC
address
IP header Analysis with Wireshark
IPv4 header fields
20bytes
0x45 = 0100 0101
0100 = 4 (Version: 4)
0101 = 5
(5 × 4B (1 word) = 20B)
0x00 = 0000 0000
Type of service
Nothing special
IP header Analysis with Wireshark
0x05dc = 1500
Total length
0xf146 = 61766
Identification
0x40 = 010 0 0000
010: Bit vector
(Reserved bit)(Don’t fragment)(More fragment)
00000: fragment offset
0x2e = 46
Time To Live
IP header Analysis with Wireshark
0x06 = 6 (TCP)
Upper layer protocol is TCP
0xcdb9
Checksum
0x3a7860c5: 58.120.96.197
Source IP
0xa3984946: 163.152.73.70
Destination IP
IP Checksum calculation
Divide IP header field into 2 bytes segment
Assume that checksum bytes are 0x0000
Add all byte segments
The sum is 0x00 03 32 43 in this case
Add the carries to lower 2 bytes of the sum
0x0003 + 0x3243 = 0x3246
Take 1’s complement
0x3246 = 0011 0010 0100 0110 → 1100 1101 1011 1001 = 0xcdb9
Profit!!!
Transport Layer Protocols
TCP – Transmission Control Protocol
UDP – User Datagram Protocol
Stream oriented
Datagram oriented
Reliable, connection-oriented
Unreliable, connectionless
Complex
Simple
Only unicast
Unicast and multicast
Used for most internet applications:
Useful only for few applications
Web (http), email (smtp), file transfer
(ftp), terminal (telnet), etc.
e.g. Multimedia applications
Used a lot for services
Network management (SNMP), routing
(RIP), naming (DNS), etc.
TCP
Transmission Control Protocol
TCP is a connection-oriented protocol
It creates a virtual connection between two TCPs to send data
Uses flow and error control mechanism at the transport layer
Provides a reliable unicast end-to-end byte stream over an
unreliable internetwork
TCP header format
TCP header fields
Port Number:
A port number identifies the endpoint of a connection (process)
A pair <IP address, port number> identifies one endpoint of a
connection
Applications
Ports:
23 80 104
Applications
7
80 16
TCP
TCP
IP
IP
Ports:
TCP header fields
Sequence Number (Seq)
Sequence number is 32 bits long
So the range of sequence number is 0 ≤ seq ≤ 232 -1
Each sequence number identifies a byte in the byte stream
Initial Sequence Number (ISN) of a connection is set during
connection establishment
TCP header fields
Acknowledgement Number (Ack):
Acknowledgements are piggybacked, i.e.
A segment from A → B can contain an acknowledgement for a data sent in
the B → A direction
A host uses the Ack field to send acknowledgements
If a host sends an Ack in a segment it sets the “ACK flag”
The Ack contains the next Seq that a hosts wants to receive
e.g. The acknowledgement for a segment with Seq 0-1500 is
Ack=1501
TCP header fields - Flags
TCP header fields
Window Size:
Each side of the connection advertises the window size
Window size is the maximum number of bytes that a receiver can
accept
Maximum window size is 216 – 1 = 65535 bytes
TCP checksum:
TCP checksum covers over both TCP header and TCP data
Urgent Pointer:
Only valid if URG flag is set
TCP header analysis with Wireshark
TCP header analysis with Wireshark
0x0050 = 80
Source port
0x1f53 = 8019
Destination port
TCP header analysis with Wireshark
0xbe7c79b6
Sequence number
0xf4b7bd42
Ack number
0x5 = 5
Header length
5 × 4byte (1word) = 20bytes
TCP header analysis with Wireshark
0x010
Flags
Bit vector
Acknowledgment
0x0036
Window size
0x26fb
Checksum
0x0000
Urgent pointer
UDP
User Datagram Protocol
Connectionless, unreliable transport protocol
UDP merely extends the host-to-host delivery serivce of IP
datagram to an process-to-process service
The only thing that UDP adds is multiplexing and demultiplexing
UDP format
UDP header fields
Port numbers identify sending and receiving processes
Total length is at least 8 bytes (i.e., Data field can be empty)
and at most 65,535
Checksum is for header of UDP and some of the IP header
fields (Pseudoheader)
Checksum Calculation
Checksum Calculatioin
UDP header analysis with Wireshark
Ethernet header and IPv4
header is padded before UDP
header
0xc93f
Source port: 51519
0x079b
Destination port: 1947
0x0030
Length: 48B (header + data)
0xdb48
Checksum
ICMP
Internet Control Message
Protocol
Used by hosts & routers to
communicate networklevel information
Error reporting:
Unreachable host, network,
port, protocol
Echo request/reply (used
by ping)
Network-layer above IP:
ICMP msgs carried in IP
datagrams
Type
0
3
3
3
3
3
3
4
Code
0
0
1
2
3
6
7
0
8
9
10
11
12
0
0
0
0
0
description
echo reply (ping)
dest. network unreachable
dest host unreachable
dest protocol unreachable
dest port unreachable
dest network unknown
dest host unknown
source quench (congestion
control - not used)
echo request (ping)
route advertisement
router discovery
TTL expired
bad IP header
ICMP Format
bit # 0
7 8
type
15 16
code
23
24
checksum
additional information
or
0x00000000
4 byte header
Type (1byte): type of ICMP message
Code (1byte): subtype of ICMP message
Checksum (2bytes): similar to IP header checksum. Caculated over
entire ICMP message
If there is no additional data, there are 4 bytes set to zero
Each ICMP messages is at least 8 bytes long
31
ICMP in TCP/IP
Special purpose message mechanism added to the TCP/IP
protocols
ICMP is a network layer protocol, but its messages are first
encapsulated into IP datagram
ICMP header analysis with Wireshark
ICMP header analysis with Wireshark
0x08
Type: 8
0x00
Code: 0
Echo (ping) request
0x4d53
Checksum
0x0001 0008
Additional information
Identifier in this case
Wireshark shows it into two
types
Big endian, Little endian
Rest bits are data