Module 4: Packet analysis

A packet analyzer is a computer application used to track, intercept and log network traffic that passes over a digital network. It analyzes network traffic and generates a customized report to assist organizations in managing their networks. Packet analyzers also may be used by hackers to intrude on networks and steal information from network transmissions. A packet analyzer is also known as a sniffer, network analyzer or protocol analyzer.

A network manager must be vigilant to analyze and protect network traffic from threats and low performance. Managers should troubleshoot the network often to ensure that it provides an efficient and fast network traffic environment. A packet analyzer shows the complete status of all network activities by providing a complete picture of bandwidth and resources utilization. If a resource is using too much bandwidth, the network manager can release the resource by interrupting the process. However, newly deployed applications and network nodes may have some configuration and working issues, but these can be solved within seconds using the packet analyzer. Every action of a packet analyzer is performed in real time.

The key functions and uses of packet analyzers include: Analyzing network issues and problems Monitoring network security by detecting unauthorized attempts to hack the network Isolating elements causing harm Monitoring overall WAN bandwidth (and individual user consumption) Generating a complete report of network statistics organized in tabular form, graphic charts or as straight data Monitoring data being transferred or in motion Monitoring the overall WAN/LAN and user/endpoint security issues and statuses

Filtering unwanted contents and preventing unauthorized access Performing debugging operations on the client/server side for communication errors/issues Monitoring proxy server configuration, firewall status and configuration, spam protection and other security aspects Serving as the primary data source for day-to-day network monitoring and management Reverse engineering proprietary protocols over the network

Why include packet analysis? Network packet analysis is included in this module to help you understand networks, network communication, and specifically the Open Systems Interconnection (OSI) model better. When you understand the construction of network packets on a bit level, everything you have learned about networks will make much more sense.

Network analysis can also be done in a practical manner using software specifically written for this purpose, such as Wireshark. This module, however, only aims to help you understand the construction of network packets on a theoretical level so that you gain a better understanding of the four selected protocols that we will focus on here, namely TCP, UDP, IP and ICMP. In short, you will examine examples of packets from each of the above-mentioned protocols on a bit level.

Where to listen for packets? Network packets can be captured for analysis purposes from any part of physical or wireless transmissions/communications, but also simply on a computer connected to a network. What are some of the tools available for packet analysis? Tools available for packet analysis include: Wireshark Network Packet Analyzer CAPSA – Javvin Technologies, Inc. NetScout Network Packet Analysis Fluke Networks Analyzers.

What is a packet? A packet is a unit of data that is routed between an origin and a destination on the Internet or any other packet-switched network. The individual packets for a given file may travel different routes through the Internet. When they have all arrived, they are reassembled into the original file (by the TCP layer at the receiving end).

What is a frame? TCP/IP does not define any specific protocol for the data link layer. It supports all of the standard and proprietary protocols. At this level, the communication is also between two hops or nodes. The unit of communication, however, is a packet called a frame . A frame is a packet that encapsulates the data received from the network layer with an added header and sometimes a trailer.

In networking, a frame is a unit of data In networking, a frame is a unit of data. A frame works to help identify data packets used in networking and telecommunications structures. Frames also help to determine how data receivers interpret a stream of data from a source. In addition to other communication information, the header includes the source and destination of the frame. The destination address is needed to define the right recipient of the frame because many nodes may have been connected to the link. The source address is needed for possible response or acknowledgment as may be required by some protocols.

A more appropriate generic term would be protocol data unit, or PDU A more appropriate generic term would be protocol data unit, or PDU. The specific name for a PDU depends on which layer of the OSI model the data unit is in. At layer 5, 6 or 7 of the OSI model, the actual construction of the PDU depends on the specific application. At these layers, you could simply refer to the PDU as data.

At layer 4, the transport layer of the OSI model, if the protocol stack is TCP, the PDU is called a segment. It is called a segment because at the transport layer, the data is segmented into chunks, and a TCP header is added. At layer 3, the network layer of the OSI model, if the protocol stack is TCP, the PDU is called a packet. The network layer encapsulates each TCP segment into an IP packet by adding a header that includes the destination IP address.

At layer 2, the data link layer, the PDU is called a frame At layer 2, the data link layer, the PDU is called a frame. The data link layer encapsulates one or more packet(s) into a frame by adding the physical address of the source and destination, and adds a frame sequence number. At layer 1, the physical layer, the PDU is called a bit. The physical layer includes the electronic network circuitry and connection media like fibre optic cables. It is the layer where data is physically moved across the network.

Unit 1: User Datagram Protocol (UDP) Introduction UDP is located between the application layer and the IP layer, and acts as the intermediary between the application programs and the network operations. UDP (User Datagram Protocol) is an alternative communications protocol to Transmission Control Protocol (TCP) used primarily for establishing low-latency and loss tolerating connections between applications on the Internet. Both UDP and TCP run on top of the Internet Protocol (IP) and are sometimes referred to as UDP/IP or TCP/IP. Both protocols send short packets of data, called datagrams.

Position of UDP in the TCP/IP protocol suite

Source Port: This field contains the port number used by the process running on the source host. It is 16 bits long, which means that the port number can range from 0 to 65,535. If the source host is the client (i.e. a client sending a request), the port number is, in most cases, an ephemeral port number requested by the process and chosen by the UDP software running on the source host. If the source host is the server (i.e. a server sending a response), the port number is, in most cases, a well-known port number. Destination Port: This field contains the port number used by the process running on the destination host. It is also 16 bits long. If the destination host is the server (i.e. a client sending a request), the port number is, in most cases, a well-known port number. If the destination host is the client (i.e. a server sending a response), the port number is, in most cases, an ephemeral port number. In the latter case, the server copies the ephemeral port number it received in the request packet.

Length: This is a 16-bit field that defines the total length of the user datagram (header plus data). The 16 bits can define a total length of 0 to 65,535 bytes. However, the total length needs to be much less because a UDP user datagram is stored in an IP datagram with the total length of 65,535 bytes. The Length field is not necessary in a UDP user datagram. A user datagram is encapsulated in an IP datagram. There is a field in the IP datagram that defines the total length. There is another field in the IP datagram that defines the length of the header. Therefore, if we subtract the value of the second field from the first, we can determine the length of the UDP datagram that is encapsulated in an IP datagram.

Checksum: This field is used to detect errors over the entire user datagram (header plus data). Well-known ports used with UDP Below is a list of well-known ports that are used with UDP. Port Protocol Description 7 Echo Echoes a received datagram back to the sender 9 Discard Discards any datagram that is received 11 Users Active users 13 Daytime Returns the date and the time 17 Quote Returns a quote of the day 19 Chargen Returns a string of characters 53 Domain Domain Name Service (DNS) 67 Bootps Server port to download bootstrap information 68 Bootpc Client port to download bootstrap information 69 TFTP Trivial File Transfer Protocol 111 RPC Remote Procedure Call 123 NTP Network Time Protocol 161 SNMP Simple Network Management Protocol 162 SNMP Simple Network Management Protocol (trap) ________________________________________________________________________________________________________________