Transcript Packet Analysis with Wireshark

Packet Analysis with Wireshark
ARP, IP, TCP, UDP, ICMP
Kyu Hyun Choi
Wireshark?
 Free and open-source network packet analyzer for Unix,
Linux, Windows, OSX, BSD, Solaris and so on
 https://www.wireshark.org/
What can we do with Wireshark
 Network troubleshooting, analysis
 Software and communications protocol development
 Education
 Hacking !
Getting Started
 Download and install wireshark
Select Device
Start live capture
Captured
Network Packet
list
Analyzed
information about
the packet
Packet
Raw data
ARP
 Address Resolution Protocol
 Telecommunication protocol used for resolution of network layer
addresses into link layer addresses
 Convert IP address to a physical address
(such as MAC address)
ARP – Packet structure
The length of the address fields is determined by the corresponding address length fields
ARP – Packet structure
 Hardware type (HTYPE)
 Specifies the network protocol type. e.g. Ethernet = 1
 Protocol type (PTYPE)
 Specifies the internet protocol for which the ARP request is intended.
For IPv4, this has the value 0x0800
 Hardware address length (HLEN)
 Length of a hardware address. Ethernet addresses size is 6.
 Protocol address length (PLEN)
 Length of addresses used in the upper layer protocol (Specified in
PTYPE). IPv4 address size is 4.
ARP – Packet structure
 Operation code
 Specifies the operation that the sender is performing.
 1 for request, 2 for reply
 Sender hardware address (SHA)
 ARP Request → Indicate the address of the host sending the request
 ARP reply → Indicate the address of the host that the request was looking for
 Sender protocol address (SPA)
 Internetwork address of the sender
 Target hardware address (THA)
 ARP Request → Ignored
 ARP Reply → Indicate the address of the host that originated the ARP request
 Target protocol address (TPA)
 Internetwork address of the intended receiver
IP
 Internet Protocol
 Unique global address for a network interface
 An IP address:
 is a 32 bit long identifier (IPv4)
 encodes a network number and a host number
Network prefix and host number
 The network prefix identifies a network
 The host number identifies a specific host
network prefix
host number
 How do we know how long the network prefix is?
 The network prefix is indicated by a netmask
 e.g. 255.255.255.0
→ Network prefix is first 3 bytes, and last byte is host number
 Notation: 163.152.73.70/24
 Network prefix is 24 bits long
IP datagram format
IP header fields
IP protocol version number
header length (bytes)
“type” of data
max number remaining hops
(decremented at each router)
32 bits
type of
ver head.
len service
length
fragment
16-bit identifier flags
offset
upper
time to
header
layer
live
checksum
32 bit source IP address
upper layer protocol
to deliver payload to
total datagram
length (bytes)
for fragmentation / reassembly
Checksum. Protect the
header of IP data packets
against data corruption
32 bit destination IP address
Options (if any)
Data
(typically a TCP
or UDP segment)
E.g. timestamp, record route
taken, specify list of routers to
visit.
IP header Analysis with Wireshark
• IP is in Network Layer
• So IP packets are padded by
lower layer protocols
• First 12 Bytes are Ethernet
header
• Source and destination MAC
address
IP header Analysis with Wireshark
 IPv4 header fields
 20bytes
 0x45 = 0100 0101
 0100 = 4 (Version: 4)
 0101 = 5
(5 × 4B (1 word) = 20B)
 0x00 = 0000 0000
 Type of service
 Nothing special
IP header Analysis with Wireshark
 0x05dc = 1500
 Total length
 0xf146 = 61766
 Identification
 0x40 = 010 0 0000
 010: Bit vector

(Reserved bit)(Don’t fragment)(More fragment)
 00000: fragment offset
 0x2e = 46
 Time To Live
IP header Analysis with Wireshark
 0x06 = 6 (TCP)
 Upper layer protocol is TCP
 0xcdb9
 Checksum
 0x3a7860c5: 58.120.96.197
 Source IP
 0xa3984946: 163.152.73.70
 Destination IP
IP Checksum calculation
 Divide IP header field into 2 bytes segment
 Assume that checksum bytes are 0x0000
 Add all byte segments
 The sum is 0x00 03 32 43 in this case
 Add the carries to lower 2 bytes of the sum
 0x0003 + 0x3243 = 0x3246
 Take 1’s complement
 0x3246 = 0011 0010 0100 0110 → 1100 1101 1011 1001 = 0xcdb9
Profit!!!
Transport Layer Protocols
 TCP – Transmission Control Protocol
 UDP – User Datagram Protocol
 Stream oriented
 Datagram oriented
 Reliable, connection-oriented
 Unreliable, connectionless
 Complex
 Simple
 Only unicast
 Unicast and multicast
 Used for most internet applications:
 Useful only for few applications
 Web (http), email (smtp), file transfer
(ftp), terminal (telnet), etc.
e.g. Multimedia applications
 Used a lot for services
 Network management (SNMP), routing
(RIP), naming (DNS), etc.
TCP
 Transmission Control Protocol
 TCP is a connection-oriented protocol
 It creates a virtual connection between two TCPs to send data
 Uses flow and error control mechanism at the transport layer
 Provides a reliable unicast end-to-end byte stream over an
unreliable internetwork
TCP header format
TCP header fields
 Port Number:
 A port number identifies the endpoint of a connection (process)
 A pair <IP address, port number> identifies one endpoint of a
connection
Applications
Ports:
23 80 104
Applications
7
80 16
TCP
TCP
IP
IP
Ports:
TCP header fields
 Sequence Number (Seq)
 Sequence number is 32 bits long
 So the range of sequence number is 0 ≤ seq ≤ 232 -1
 Each sequence number identifies a byte in the byte stream
 Initial Sequence Number (ISN) of a connection is set during
connection establishment
TCP header fields
 Acknowledgement Number (Ack):
 Acknowledgements are piggybacked, i.e.
 A segment from A → B can contain an acknowledgement for a data sent in
the B → A direction
 A host uses the Ack field to send acknowledgements
 If a host sends an Ack in a segment it sets the “ACK flag”
 The Ack contains the next Seq that a hosts wants to receive
 e.g. The acknowledgement for a segment with Seq 0-1500 is
Ack=1501
TCP header fields - Flags
TCP header fields
 Window Size:
 Each side of the connection advertises the window size
 Window size is the maximum number of bytes that a receiver can
accept
 Maximum window size is 216 – 1 = 65535 bytes
 TCP checksum:
 TCP checksum covers over both TCP header and TCP data
 Urgent Pointer:
 Only valid if URG flag is set
TCP header analysis with Wireshark
TCP header analysis with Wireshark
 0x0050 = 80
 Source port
 0x1f53 = 8019
 Destination port
TCP header analysis with Wireshark
 0xbe7c79b6
 Sequence number
 0xf4b7bd42
 Ack number
 0x5 = 5
 Header length
 5 × 4byte (1word) = 20bytes
TCP header analysis with Wireshark
 0x010
 Flags
 Bit vector
 Acknowledgment
 0x0036
 Window size
 0x26fb
 Checksum
 0x0000
 Urgent pointer
UDP
 User Datagram Protocol
 Connectionless, unreliable transport protocol
 UDP merely extends the host-to-host delivery serivce of IP
datagram to an process-to-process service
 The only thing that UDP adds is multiplexing and demultiplexing
UDP format
UDP header fields
 Port numbers identify sending and receiving processes
 Total length is at least 8 bytes (i.e., Data field can be empty)
and at most 65,535
 Checksum is for header of UDP and some of the IP header
fields (Pseudoheader)
Checksum Calculation
Checksum Calculatioin
UDP header analysis with Wireshark
 Ethernet header and IPv4
header is padded before UDP
header
 0xc93f
 Source port: 51519
 0x079b
 Destination port: 1947
 0x0030
 Length: 48B (header + data)
 0xdb48
 Checksum
ICMP
 Internet Control Message
Protocol
 Used by hosts & routers to
communicate networklevel information
 Error reporting:
Unreachable host, network,
port, protocol
 Echo request/reply (used
by ping)
 Network-layer above IP:
 ICMP msgs carried in IP
datagrams
Type
0
3
3
3
3
3
3
4
Code
0
0
1
2
3
6
7
0
8
9
10
11
12
0
0
0
0
0
description
echo reply (ping)
dest. network unreachable
dest host unreachable
dest protocol unreachable
dest port unreachable
dest network unknown
dest host unknown
source quench (congestion
control - not used)
echo request (ping)
route advertisement
router discovery
TTL expired
bad IP header
ICMP Format
bit # 0
7 8
type
15 16
code
23
24
checksum
additional information
or
0x00000000
 4 byte header
 Type (1byte): type of ICMP message
 Code (1byte): subtype of ICMP message
 Checksum (2bytes): similar to IP header checksum. Caculated over
entire ICMP message
 If there is no additional data, there are 4 bytes set to zero
 Each ICMP messages is at least 8 bytes long
31
ICMP in TCP/IP
 Special purpose message mechanism added to the TCP/IP
protocols
 ICMP is a network layer protocol, but its messages are first
encapsulated into IP datagram
ICMP header analysis with Wireshark
ICMP header analysis with Wireshark
 0x08
 Type: 8
 0x00
 Code: 0
 Echo (ping) request
 0x4d53
 Checksum
 0x0001 0008
 Additional information
 Identifier in this case
 Wireshark shows it into two
types
 Big endian, Little endian
 Rest bits are data