Packet Analysis with Wireshark ARP, IP, TCP, UDP, ICMP Kyu Hyun Choi
Wireshark? Free and open-source network packet analyzer for Unix, Linux, Windows, OSX, BSD, Solaris and so on https://www.wireshark.org/
What can we do with Wireshark Network troubleshooting, analysis Software and communications protocol development Education Hacking !
Getting Started Download and install wireshark
Select Device
Start live capture Captured Network Packet list Analyzed information about the packet Packet Raw data
ARP Address Resolution Protocol Telecommunication protocol used for resolution of network layer addresses into link layer addresses Convert IP address to a physical address (such as MAC address)
ARP – Packet structure The length of the address fields is determined by the corresponding address length fields
ARP – Packet structure Hardware type (HTYPE) Protocol type (PTYPE) Specifies the network protocol type. e.g. Ethernet = 1 Protocol type (PTYPE) Specifies the internet protocol for which the ARP request is intended. For IPv4, this has the value 0x0800 Hardware address length (HLEN) Length of a hardware address. Ethernet addresses size is 6. Protocol address length (PLEN) Length of addresses used in the upper layer protocol (Specified in PTYPE). IPv4 address size is 4.
ARP – Packet structure Operation code Sender hardware address (SHA) Specifies the operation that the sender is performing. 1 for request, 2 for reply Sender hardware address (SHA) ARP Request → Indicate the address of the host sending the request ARP reply → Indicate the address of the host that the request was looking for Sender protocol address (SPA) Internetwork address of the sender Target hardware address (THA) ARP Request → Ignored ARP Reply → Indicate the address of the host that originated the ARP request Target protocol address (TPA) Internetwork address of the intended receiver
IP Internet Protocol Unique global address for a network interface An IP address: is a 32 bit long identifier (IPv4) encodes a network number and a host number
Network prefix and host number The network prefix identifies a network The host number identifies a specific host How do we know how long the network prefix is? The network prefix is indicated by a netmask e.g. 255.255.255.0 → Network prefix is first 3 bytes, and last byte is host number Notation: 163.152.73.70/24 Network prefix is 24 bits long network prefix host number
IP datagram format
32 bit destination IP address IP header fields IP protocol version number 32 bits total datagram length (bytes) header length (bytes) head. len type of service ver length “type” of data fragment offset 16-bit identifier for fragmentation / reassembly flags max number remaining hops (decremented at each router) time to live upper layer header checksum upper layer protocol to deliver payload to Checksum. Protect the header of IP data packets against data corruption 32 bit source IP address 32 bit destination IP address Options (if any) E.g. timestamp, record route taken, specify list of routers to visit. Data (typically a TCP or UDP segment)
IP header Analysis with Wireshark IP is in Network Layer So IP packets are padded by lower layer protocols First 12 Bytes are Ethernet header Source and destination MAC address
IP header Analysis with Wireshark IPv4 header fields 20bytes 0x45 = 0100 0101 0100 = 4 (Version: 4) 0101 = 5 (5 × 4B (1 word) = 20B) 0x00 = 0000 0000 Type of service Nothing special
IP header Analysis with Wireshark 0x05dc = 1500 Total length 0xf146 = 61766 Identification 0x40 = 010 0 0000 010: Bit vector (Reserved bit)(Don’t fragment)(More fragment) 00000: fragment offset 0x2e = 46 Time To Live
IP header Analysis with Wireshark 0x06 = 6 (TCP) Upper layer protocol is TCP 0xcdb9 Checksum 0x3a7860c5: 58.120.96.197 Source IP 0xa3984946: 163.152.73.70 Destination IP
IP Checksum calculation Divide IP header field into 2 bytes segment Assume that checksum bytes are 0x0000 Add all byte segments The sum is 0x00 03 32 43 in this case Add the carries to lower 2 bytes of the sum 0x0003 + 0x3243 = 0x3246 Take 1’s complement 0x3246 = 0011 0010 0100 0110 → 1100 1101 1011 1001 = 0xcdb9 Profit!!!
Transport Layer Protocols TCP – Transmission Control Protocol Stream oriented Reliable, connection-oriented Complex Only unicast Used for most internet applications: Web (http), email (smtp), file transfer (ftp), terminal (telnet), etc. UDP – User Datagram Protocol Datagram oriented Unreliable, connectionless Simple Unicast and multicast Useful only for few applications e.g. Multimedia applications Used a lot for services Network management (SNMP), routing (RIP), naming (DNS), etc.
TCP Transmission Control Protocol TCP is a connection-oriented protocol It creates a virtual connection between two TCPs to send data Uses flow and error control mechanism at the transport layer Provides a reliable unicast end-to-end byte stream over an unreliable internetwork
TCP header format
TCP header fields Port Number: A port number identifies the endpoint of a connection (process) A pair <IP address, port number> identifies one endpoint of a connection
TCP header fields Sequence Number (Seq) Sequence number is 32 bits long So the range of sequence number is 0 ≤ seq ≤ 232 -1 Each sequence number identifies a byte in the byte stream Initial Sequence Number (ISN) of a connection is set during connection establishment
TCP header fields Acknowledgement Number (Ack): Acknowledgements are piggybacked, i.e. A segment from A → B can contain an acknowledgement for a data sent in the B → A direction A host uses the Ack field to send acknowledgements If a host sends an Ack in a segment it sets the “ACK flag” The Ack contains the next Seq that a hosts wants to receive e.g. The acknowledgement for a segment with Seq 0-1500 is Ack=1501
TCP header fields - Flags
TCP header fields Window Size: TCP checksum: Urgent Pointer: Each side of the connection advertises the window size Window size is the maximum number of bytes that a receiver can accept Maximum window size is 216 – 1 = 65535 bytes TCP checksum: TCP checksum covers over both TCP header and TCP data Urgent Pointer: Only valid if URG flag is set
TCP header analysis with Wireshark
TCP header analysis with Wireshark 0x0050 = 80 Source port 0x1f53 = 8019 Destination port
TCP header analysis with Wireshark 0xbe7c79b6 Sequence number 0xf4b7bd42 Ack number 0x5 = 5 Header length 5 × 4byte (1word) = 20bytes
TCP header analysis with Wireshark 0x010 Flags Bit vector Acknowledgment 0x0036 Window size 0x26fb Checksum 0x0000 Urgent pointer
UDP User Datagram Protocol Connectionless, unreliable transport protocol UDP merely extends the host-to-host delivery serivce of IP datagram to an process-to-process service The only thing that UDP adds is multiplexing and demultiplexing
UDP format
UDP header fields Port numbers identify sending and receiving processes Total length is at least 8 bytes (i.e., Data field can be empty) and at most 65,535 Checksum is for header of UDP and some of the IP header fields (Pseudoheader)
Checksum Calculation
Checksum Calculatioin
UDP header analysis with Wireshark Ethernet header and IPv4 header is padded before UDP header 0xc93f Source port: 51519 0x079b Destination port: 1947 0x0030 Length: 48B (header + data) 0xdb48 Checksum
ICMP Internet Control Message Protocol Type Code description 0 0 echo reply (ping) 3 0 dest. network unreachable 3 1 dest host unreachable 3 2 dest protocol unreachable 3 3 dest port unreachable 3 6 dest network unknown 3 7 dest host unknown 4 0 source quench (congestion control - not used) 8 0 echo request (ping) 9 0 route advertisement 10 0 router discovery 11 0 TTL expired 12 0 bad IP header Internet Control Message Protocol Used by hosts & routers to communicate network-level information Error reporting: Unreachable host, network, port, protocol Echo request/reply (used by ping) Network-layer above IP: ICMP msgs carried in IP datagrams
ICMP Format 4 byte header Type (1byte): type of ICMP message Code (1byte): subtype of ICMP message Checksum (2bytes): similar to IP header checksum. Caculated over entire ICMP message If there is no additional data, there are 4 bytes set to zero Each ICMP messages is at least 8 bytes long
ICMP in TCP/IP Special purpose message mechanism added to the TCP/IP protocols ICMP is a network layer protocol, but its messages are first encapsulated into IP datagram
ICMP header analysis with Wireshark
ICMP header analysis with Wireshark 0x08 Type: 8 0x00 Code: 0 Echo (ping) request 0x4d53 Checksum 0x0001 0008 Additional information Identifier in this case Wireshark shows it into two types Big endian, Little endian Rest bits are data