Professional Documents
Culture Documents
P
Penetration
t ti T Testing
ti
and Security Analysis
Module 03 3
TCP/IP Packet
Analysis
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Module Objective
• TCP/IP Model
• Comparing OSI and TCP/IP
• Addressing
• Subnetting
• IPv4 and IPv6
• Windowing
• TCP/IP Protocols
• TCP and UDP Port Numbers
• TCP Operation
i
• Sequencing Numbers
• UDP Operation
• ICMP and ICMP Control Messages
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
As a Security Analyst, you must have complete
mastery over TCP/IP protocol.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
TCP/IP Model
Application layer
Transport layer
Internet layer
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Application Layer
Application Layer
FTP rlogin
NFS
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Transport Layer
The transport layer provides transport services from the source host to the
destination host.
host
The transport layer constitutes a logical connection between the endpoints of the
network, the sending host and the receiving host.
End-to-end control is the primary duty of the transport layer when using TCP.
Transport Layer
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Internet Layer
The purpose of the Internet layer is to select the best path through the
network for packets to travel.
Internet Layer
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Network Access Layer
Network
Address
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Comparing OSI and TCP/IP
APPLCATION LAYER
PRESENTATION APPLICATION
LAYER LAYER
SESSION LAYER
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Comparing OSI and TCP/IP
(cont d)
(cont’d)
Both have application layers, •TCP/IP combines the presentation
though they include very different and session layer into its
services. application layer.
•Combines the data link and
physical layer into the network
access layer.
Packet-switched,
Packet switched not circuit
circuit- TCP/IP transport layer using UDP
switched, technology is assumed. does not always guarantee reliable
delivery of packets as the transport
layer in the OSI model does.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
TCP
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
TCP Header
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
IP Header
Protocol Field
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
IP Header: Protocol Field
Connection-
C ti Connection
C ti
oriented less
Connectionless
The IP packet has a protocol field that specifies whether the segment is
TCP or UDP.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
UDP
User Datagram
g Protocol ((UDP)) is the connectionless transport
p p
protocol.
• TFTP (Trivial
( l File
l Transfer
f Protocol).
l)
• SNMP (Simple Network Management Protocol).
• DHCP (Dynamic Host Control Protocol).
• DNS (Domain Name System).
System)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
TCP and UDP Port Numbers
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Port Numbers
Conversations that do not involve an application with a well-known port number are,
instead, assigned port numbers that are randomly selected from within a specific range.
These port numbers are used as source and destination addresses in the TCP segment.
Some ports are reserved in both TCP and UDP, although applications might not be written to
support them.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Port Numbers
TCP Header
0 15 16 31
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
IANA
The well-known ports are assigned by the IANA and on most systems can
only
l be
b usedd by
b system (or
( root)) processes or by
b programs executeddb
by
privileged users.
The registered ports are listed by the IANA and on most systems can be
used by ordinary user processes or programs executed by ordinary users.
The range
g for assigned
g p
ports managed
g byy the IANA is 0-1023.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Source and Destination
Port Numbers
Server:
Destination Port = 1028 (source port of client)
Source
S P
Portt = 23 (telnet)
(t l t)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
What Makes Each Connection
Unique?
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
TCP or Source IP Destination IP Connection State
UDP
Source Port Destination
P t
Port
www.google.com
www.cisco.com
netstat command
Note: In actuality, when you open up a single web page, there are usually several TCP
sessions created, not just one.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
TCP Operation
The transport
p layer
y ((TCP)) is responsible
p for reliabilityy and flow control
from source to destination.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Three-Way Handshake
IP Protocol Field = 17
Application
Header + data
IP Protocol Field = 6
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Flow Control
TCP p
provides the mechanism for flow control byy allowing
g the sending
g
and receiving host to communicate.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Windowing
Windowing is a flow-
control mechanism.
Windowing requires
that the source device
receive
i an
acknowledgment from
the destination after
transmitting a certain
amount off d
data.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Windowing and Window Sizes
The window
Th i d size
i refers
f tto th
the number
b off b
bytes
t
that are transmitted before receiving an
acknowledgment.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Simple Windowing
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Simple Windowing
(cont d)
(cont’d)
TCP window size:
TCP uses a window size, number of bytes, that the receiver is willing to accept, and is usually
controlled by the receiving process.
TCP
C uses expectational
i l acknowledgments,
k l d which
hi h means that
h the
h acknowledgment
k l d
number refers to the next byte that the sender of the acknowledgement expects to receive.
N t
Note:
The sequence number being sent
identifies the first byte of data in
that segment.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Simple Windowing (cont’d)
TCP provides full-duplex service, which means data can be flowing in each
direction, independent of the other direction.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Acknowledgement
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Sliding Windows
Initial Window size Working Window size
Usable Window Octets sent Usable Window
Can send ASAP Not ACKed Can send ASAP
Sliding window algorithms are a method of flow control for network data
transfers using the receiver’s window size.
The sender computes its usable window, or up to how much data it can
immediately send.
Th receiver
The i sends
d acknowledgements
k l d t as its
it TCP receiving
i i b buffer
ff empties.
ti
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Sliding Windows (cont’d)
The terms used to describe the movement of the left and right edges of this
sliding window are:
The left edge closes (moves to the right) when data is sent and
acknowledged.
The right edge opens (moves to the right) allowing more data to
be sent. This happens when the receiver acknowledges a certain
number of bytes received.
The middle edge opens (moves to the right) as data is sent, but not
yet acknowledged.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Host A - Sender
1 2 3 4 5 6 7 8 9 10 11 12 13
Host B - Receiver
1 2 3 4 5 6 7 8 9 10 11 12 13
1 2 3 4 5 6 7 8 9 10 11 12 13
1
2
Window size = 6 3 Octets received
Octets sent Usable Window 1 2 3 4 5 6 7 8 9 10 11 12 13
Host A begins by sending octets to Host B: octets 1, 2, and 3 and slides its window over
showing it has sent those 3 octets.
Host A will not increase its usable window size byy 3, until it receives an acknowledgment
g
from Host B that it has received some or all of the octets.
Host B, not waiting for all of the 6 octets to arrive, after receiving the third octet sends an
expectational acknowledgement of “4” to Host A.
Note: The left edge closes (moves to the right) when data is sent and acknowledged.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Host A - Sender
1 2 3 4 5 6 7 8 9 10 11 12 13
Host B - Receiver
1 2 3 4 5 6 7 8 9 10 11 12 13
1 2 3 4 5 6 7 8 9 10 11 12 13
Window size = 6 1
2
Octets sent Usable Window
3
Not ACKed Can send ASAP
ACK 4 1 2 3 4 5 6 7 8 9 10 11 12 13
1 2 3 4 5 6 7 8 9 10 11 12 13
4
5
1 2 3 4 5 6 7 8 9 10 11 12 13
1 2 3 4 5 6 7 8 9 10 11 12 13
ACK 6
Host A does not have to wait for an acknowledgement from Host B to keep sending data, not
until the window size reaches the window size of 6, so it sends octets 4 and 5.
Host A receives the acknowledgement of ACK 4 and can now slide its window over to equal
6 octets, 3 octets sent – not ACKed plus 3 octets, which can be sent ASAP.
Note: The right edge opens (moves to the right) allowing more data to be sent. This happens
when the receiver acknowledges a certain number of bytes received.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Host A - Sender Host B - Receiver
1 2 3 4 5 6 7 8 9 10 11 12 13 1 2 3 4 5 6 7 8 9 10 11 12 13
1 2 3 4 5 6 7 8 9 10 11 12 13
1
Window size = 6
Octets sent Usable Window 2
3
Not ACKed Can send ASAP
ACK 4 1 2 3 4 5 6 7 8 9 10 11 12 13
1 2 3 4 5 6 7 8 9 10 11 12 13
4
5
1 2 3 4 5 6 7 8 9 10 11 12 13
1 2 3 4 5 6 7 8 9 10 11 12 13
1 2 3 4 5 6 7 8 9 10 11 12 13 ACK 6
6
7
1 2 3 4 5 6 7 8 9 10 11 12 13
1 2 3 4 5 6 7 8 9 10 11 12 13
1 2 3 4 5 6 7 8 9 10 11 12 13
8
9
1 2 3 4 5 6 7 8 9 10 11 12 13
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Sequencing Numbers
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Sequencing Numbers (cont’d)
The receiver can interpret the arrangement of data segments by following the
sequence number from the receiver.
The sequencing number helps the receiver to cross check whether the data
transfer is successful.
successful
Sequencing number helps the sender to retransmit the data in case there is an
error in the data transfer.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Packet 1: source: 130.57.20.10 dest.:130.57.20.1
TCP: -----
TCP:
TCP header -----
Source port = 1026
Sequencing
Numbers (cont
(cont’d)
d)
TCP: Destination port = 524
TCP: Initial sequence number = 12952
TCP: Next expected Seq number= 12953
TCP: .... ..1. = SYN
TCP: Window = 8192
TCP: Checksum = 1303 (correct)
TCP
TCP: M
Maximum
i segment
t size
i = 1460 (TCP O
Option)
ti )
Packet 2: source: 130.57.20.1 dest: 130.57.20.10
TCP: ----- TCP header -----
TCP: Source port = 524
TCP: Destination port = 1026
TCP: Initial sequence number = 2744080
TCP: Next expected Seq number= 2744081
TCP: Acknowledgment number = 12953
TCP: .... ..1. = SYN
TCP: Window = 32768
TCP: Checksum = D3B7 (correct)
TCP: Maximum segment size = 1460 (TCP Option)
Packet 3: source: 130.57.20.10 dest: 130.57.20.1
TCP: ----- TCP header -----
TCP: Source port = 1026 O l portions
Only i off theh TCP C
TCP: Destination port = 524 headers are displayed.
TCP: Sequence number = 12953
TCP: Next expected Seq number= 12953
TCP: Acknowledgment number = 2744081
TCP: ...1 .... = Acknowledgment
TCP: Window = 8760
TCP: Checksum = 493D (correct) Copyright © by EC-Council
EC-Council
TCP: No TCP options All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Synchronization
For a connection to be established, the two end stations must synchronize with each other's
i iti l TCP sequence numbers
initial b (ISN )
(ISNs).
Sequence numbers are used to track the order of packets and to ensure that no packets are
lost in transmission.
The initial sequence number is the starting number used when a TCP connection is
established.
The
h initial
i i i l exchange
h off sequence numbers
b d i the
during h connection
i sequence ensures recovery
of lost data.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Positive Acknowledgment and
Retransmission (PAR)
PAR: The source sends a packet, starts a timer, and waits for an
acknowledgment before sending the next packet.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
What is Internet Protocol v6
(IPv6)?
IPv6 provides a base for enhanced Internet functionalities.
functionalities
Purpose of IPv6:
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Why IPv6?
The following
Th f ll i are the
h ffactors that
h provide
id a stage ffor above
b
growth:
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
IPv6 Header
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Features of IPv6
E t
Extension
i h headers
d
Security
Auto-configuration
g
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
IPv4/IPv6 Transition
Mechanisms
There are three transition mechanisms available to deploy IPv6 on
IPv4 networks.
k
Th transitions
The t iti can be
b used
d iin any combination:
bi ti
D l stacks:
Dual t k B Based
d on th
the DNS value,
l it uses IPV4 or IPV6
IPV6.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
IPv4/IPv6 Transition
Mechanisms (cont
(cont’d)
d)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
IPv6 Security Issues
Header manipulation
p • Using extension headers and IPsec can deter
issues: some header manipulation-based attacks.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Security Flaws in IPv6
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Security Flaws in IPv6 (cont’d)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
IPv6 Infrastructure Security
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
IPsec
• Data confidentiality.
confidentiality
• Data integrity.
• Data origin authentication.
• Anti-replay.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Firewalls and Packet Filtering
Packet filtering:
IPv6 firewalling:
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Firewalls and Packet Filtering
(cont d)
(cont’d)
• “Internet-router-firewall-net
IP 6 fi
IPv6 firewall
ll usage 1: architecture”:
hi ” This
hi order
d iis compatible
ibl if the
h
firewall is ready for distinguishing IPv6.
Firewall
Internet
Protected
Network
Router
• “Internet-firewall-router-net architecture”:
IPv6 firewall usage 2: This order cannot handle routing protocols properly.
Firewall
Protected Internet
Network
Router
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Firewalls and Packet Filtering
(cont d)
(cont’d)
• “Internet
“Internet-firewall/router(edge
firewall/router(edge device)-net
device) net
IPv6 firewall usage 3: architecture”: This order can be powerful for
routing and security policy.
Firewall + Router
Protected Internet
Network
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Denial-of-Service (DoS) Attacks
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
DoS SYN Flooding Attack
A DoS SYN flooding attack takes advantage of a flaw in how most hosts A
implement the TCP three
three-way
way handshake.
B
Normal connection
When Host B receives the SYN request from A, it must keep track of establishment
the partially-opened connection in a "listen queue" for at least 75
seconds.
When Host B receives the SYN request from A, it must keep track of
the partially-opened connection in a "listen queue" for at least 75
seconds.
A malicious host can exploit the small size of the listen queue by
SYN Flooding
sending multiple SYN requests to a host, but never replying to the
SYN&ACK.
This
hi ability
bili off removing
i a host
h from
f the
h network
k for
f at least
l 75 seconds
d
can be used as a DoS attack.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
UDP Operation
UDP does not use windowing or acknowledgments so application layer protocols must
provide error detection.
detection
The Source Port field is an optional field used only if information needs to return to the
sending host.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
UDP Operation (cont’d)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
IP Header Protocol Field
IP Header
0 15 16 31
4-bit 4-bit 8-bit Type Of
Version Header Service 16-bit Total Length (in bytes)
Length (TOS)
3-bit
16 bit Identification
16-bit Flags 13 bit Fragment Offset
13-bit
Data
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Internet Control Message
Protocol (ICMP)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Error Reporting and Error
Correction
When datagram delivery errors occur, ICMP reports the following errors
back to the source of the datagram:
It follows the same technique used by IP to deliver data. Subject to the same delivery failures as any IP
packet.
k t
This creates a scenario where error reports could generate more error reports.
Errors created by ICMP messages do not generate their own ICMP messages.
Thus, it is possible to have a datagram delivery error that is never reported back to the sender of the data.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Format of an ICMP Message
Type Field
Type Name
---- -------------------------
Type Name
0 Echo Reply
---- -------------------------
1 Unassigned
17 Address Mask Request
2 Unassigned
18 Address Mask Reply
3 Destination Unreachable
19 Reserved (for Security)
4 Source Quench
20-29 Reserved (for Robustness Experiment)
5 Redirect
30 Traceroute
6 Alt
Alternate
t H Host
t Add
Address
31 Datagram Conversion Error
7 Unassigned
32 Mobile Host Redirect
8 Echo
33 IPv6 Where-Are-You
9 Router Advertisement
34 IPv6 I-Am-Here
10 Router Solicitation
35 Mobile Registration Request
11 Time Exceeded
36 Mobile Registration Reply
12 Parameter Problem
37 Domain Name Request
13 Timestamp
38 Domain Name Reply
14 Timestamp Reply 15
39 SKIP
Information Request
40 Photuris
16 Information Reply
41-255 Reserved
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Format of an ICMP Message
(cont d)
(cont’d)
Code Field
Codes
0 Net Unreachable
1 Host Unreachable
2 Protocol Unreachable
3 Port Unreachable
4 Fragmentation Needed and Don't Fragment was Set
5 Source Route Failed
6 Destination Network Unknown
7 Destination Host Unknown
8 Source Host Isolated
9 Communication with Destination Network is Administratively Prohibited
10 Communication with Destination Host is Administratively Prohibited
11 Destination Network Unreachable for Type of Service
12 Destination Host Unreachable for Type of Service
13 Communication Administratively Prohibited
14 Host Precedence Violation
15 Precedence cutoff in effect
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Unreachable Networks
• S
Sending
di and d receiving
i i devices
d i mustt h
have th
the
TCP/IP protocol stack properly configured:
• Proper configuration of IP address and subnet
mask.
• A default gateway must also be configured if
datagrams are to travel outside of the local network.
• A router also must have the TCP/IP protocol
properly configured on its interfaces, and it
must use an appropriate
pp p routing
gpprotocol.
• If these conditions are not met, then network
communication cannot take place.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Unreachable Networks
(cont d)
(cont’d)
Examples of problems:
• Sending device
de ice may
ma address the datagram to a non
non-existent
e istent IP
address
• Destination device that is disconnected from its network
g interface is down
• Router’s connecting
• Router does not have the information necessary to find the
destination network
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Destination Unreachable
Message
If datagrams cannot always be forwarded to their destinations, ICMP delivers
b k to the
back h sender
d ad destination
i i unreachable
h bl message iindicating
di i to theh sender
d
that the datagram could not be properly forwarded.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
ICMP Echo (Request) and Echo
Reply
Echo
c o = Type
ype 8
Echo Reply = Type 0
IP Protocol Field = 1
Th echo
The h requestt message iis ttypically
i ll iinitiated
iti t d using
i ththe ping
i command
d
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Time Exceeded Message
IP Header
0 15 16 31
4-bit 4-bit 8-bit Type Of
Version Header Service 16-bit Total Length (in bytes)
Length (TOS)
3-bit
16-bit Identification Flags 13-bit Fragment Offset
A each
As h router processes the
h datagram,
d it
i ddecreases the
h TTL value
l byb one.
When the TTL of the datagram value reaches zero, the packet is discarded.
ICMP uses a time exceeded message to notify the source device that the TTL of the datagram has
been exceeded.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
IP Parameter Problem
Type = 12
Devices that process datagrams may not be able to forward a datagram due to
some type of error in the header.
This error does not relate to the state of the destination host or network, but still
prevents the datagram
p g from being gpprocessed and delivered.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
ICMP Control Messages
Unlike error messages, control messages are not the results of lost
packets or error conditions which occur during packet transmission.
Network congestion.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
ICMP Redirects
ICMP Redirect
Type = 5 Code = 0 to 3
• The interface on which the packet comes into the router is the same
interface on which the packet gets routed out.
• The subnet/network of the source IP address is the same
subnet/network of the next
next-hop
hop IP address of the routed packet.
packet
• The datagram is not source-routed.
• The route for the redirect is not another ICMP redirect or a default
route.
• The router is configured to send redirects.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Clock Synchronization and
Transit Time Estimation
ICMP Timestamp Replaced by
Request
Type = 13 or 14
The TCP/IP protocol suite allows systems to connect to one another over vast distances through multiple
networks.
Each of these individual networks provides clock synchronization in its own way.
As a result, hosts on different networks who are trying to communicate using software that requires time
synchronization can sometimes encounter problems.
The ICMP timestamp message type is designed to help alleviate this problem.
problem
The ICMP timestamp request message allows a host to ask for the current time according to the remote
host.
The remote host uses an ICMP timestamp reply message to respond to the request.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Clock Synchronization and
Transit Time Estimation
Using these three timestamps, the host can estimate transit time across the network by
subtracting the originate time from the transit time.
It is only an estimate however, as true transit time can vary widely based on traffic and
congestion on the network.
The host that originated the timestamp request can also estimate the local time on the remote
computer.
While ICMP timestamp messages provide a simple way to estimate time on a remote host and
total network transit time, this is not the best way to obtain this information.
Instead, more robust protocols such as Network Time Protocol (NTP) at the upper layers
Instead
of the TCP/IP protocol stack perform clock synchronization in a more reliable manner.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Information Requests and
Reply Message Formats
ICMP Information Request/Reply
Type = 15 or 16
Replaced by
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Address Masks
ICMP Address Mask Request/Reply
Type = 17 or 18
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Router Solicitation and
Advertisement
ICMP Router Solicitation
Type = 10
ICMP Router Advertisement
Type = 9
p
Replaced by
y
When a host on the network boots, and the host has not
been manually configured with a default gateway, it
can learn of available routers through the process of
router discovery.
y
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Summary
In this
hi module,
d l we reviewed
i d advanced
d d techniques
h i ffor TCP/IP
/ packet
k
analysis.
We have discussed TCP/IP protocols, TCP and UDP port numbers, TCP
and UDP operation,
p , sequencing
q g numbers,, and ICMP and ICMP control
messages.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.