It is important to analyze the sniffed packets to a system administrator to protect his network from intruders, different port scanning techniques .although many tools are available to do this work.
From attackers view it is important to analyze this packets for information gathering, predicting the sequence numbers and building the malformed packets to avoid the ACL’s and firewalls and for DOS attacks.
Here we go
This tutorial is education purpose only
The sniffed packet looks like this
44 45 53 54 00 00 20 53 52 43 00 00 08 00 45 00 28 00 00 40 00 29 06 43 CA C2 01 81
E7 CB 5E FE BE 00 50 04 69 68 04 AE 96 00 14 2A E3 50 11 19 20 42 62 00 00
The entire chunk of data, which totals up to 54 bytes, can be broken down into the following smaller parts:
The MAC address part: this consists of bytes 1 to 14.
The IP address part: this consists of bytes 15 to 34.
The TCP header part: this consists of bytes 35 to 54.
If the captured packet is carrying an icmp message, then instead of having a TCP header part, it will contain fields relating to the ICMP protocol.
The MAC address part: the MAC address part consists of bytes 1 to 14 and stores information about the data transfer’s source and destination IP addresses as well as the protocol used for the transmission of the data packet.
The MAC address part of the above example is the part that reads as follows:
44 45 53 54 00 00 20 53 52 43 00 00 08 00
• The first 6 bytes comprise the source MAC address. In this example, the source MAC address is 44 45 53 54 00 00
• The second six bytes comprise the destination MAC address. In this example
The destination MAC address is 20 53 52 43 00 00
• The final two bytes stand for the protocol used to transmit that particular packet. in this case, it value is 08 00, which indicates that the protocol used to transmit the packet is DOD(IP).
The IP header part:
445 00 00 28 00 00 40 00 29 06 43 CA C2 01 81 E7 CB 5E FE BE
The IP header part consists of bytes 15 to 34 and contains various kinds of information, including the following:
• IP version: IP versions are revealed in the first byte of IP header part, in this case the first bit is 4 so it is IPV4 and the second bit revels the header length. in this case 5
• Type of service: the type of service indicated by the second byte in the IP header part. In this case the value is 00 in hexadecimal, which in the decimal system is 0.
• IP data gram length: the third and the fourth byte represents the IP data gram length in this case the values are 00 28.
• IB number: the fifth and sixth byte contains the packets ID number
• Fragment offset value: the seventh and the eight byte represent the fragment offset value. This value is used to keep track of each fragment.
• Time to live value: the ninth byte represents the packet’s TTL value.
• Type of protocol: the tenth byte contains information about the protocol being used by this particular packet.
• Checksum value: the eleventh and twelfth bytes stand for the checksum value of the packet, which is needed for data integrity. In this example, 43 CA
• Source and destination IP addresses: the final eight bytes represents the source and destination ip address, respectively. In this Ex. The source IP address is C2 01 81 E7, and the destination IP address is CB 5E FE BE.
The TCP header part:
00 50 04 69 68 04 AE 96 00 14 2A E3 50 11 19 20 42 62 00 00
• Source port: the source port is raveled in the first and second bytes of the TCP header part. In this example, the source port is 00 50
• Destination port: the destination port is revealed in the third and fourth bytes of the TCP header part.
• Sequence number: bytes 5 to 8 of the TCP header part reveal the sequence number.
• ACK number: bytes 9 to 12 of the TCP header part reveal the ACK number.
• Window size: the window size revealed in bytes 15 and 16 of the TCP header part
• Checksum value: the check sum is revealed in bytes 17 and 18 of the TCP header part.
• Urgent point: the urgent point is revealed in bytes 19 20 of the TCP header part.
0 comments:
Post a Comment