You are on page 1of 2

UDP Header DNS

Bit Number
1111111111222222222233
Bit Number
1 1 1 1 1 1
TCP/IP and
01234567890123456789012345678901 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 tcpdump
Source Port Destination Port LENGTH (TCP ONLY)
Length Checksum ID. POCKET REFERENCE GUIDE
QR Opcode AA TC RD RA Z RCODE SANS Institute
UDP Header Information QDCOUNT incidents@sans.org
Common UDP Well-Known Server Ports +1 317.580.9756
7 echo 138 netbios-dgm ANCOUNT http://www.sans.org
19 chargen 161 snmp http://www.incidents.org
NSCOUNT
37 time 162 snmp-trap
53 domain 500 isakmp ARCOUNT
67 bootps (DHCP) 514 syslog tcpdump Usage
68 bootpc (DHCP) 520 rip Question Section
69 tftp 33434 traceroute
Answer Section tcpdump [-aenStvx] [-F file]
137 netbios-ns
[-i int] [-r file] [-s snaplen]
Authority Section
Length [-w file] ['filter_expression']
(Number of bytes in entire datagram including header; Additional Information Section
minimum value = 8) -e Display data link header.
-F Filter expression in file.
Checksum DNS Parameters
-i Listen on int interface.
(Covers pseudo-header and entire UDP datagram)
Query/Response -n Don't resolve IP addresses.
0 Query -r Read packets from file.
ARP 1 Response
-s Get snaplen bytes from each packet.
Opcode -S Use absolute TCP sequence numbers.
Bit Number
0 Standard query (QUERY) -t Don't print timestamp.
1111111111222222222233 1 Inverse query (IQUERY)
2 Server status request (STATUS)
-v Verbose mode.
01234567890123456789012345678901 -w Write packets to file.
AA
Hardware Address Type Protocol Address Type -x Display in hex.
(1 = Authoritative Answer)
-X Display in hex and ASCII.
H/w Addr Len Prot. Addr Len Operation TC
(1 = TrunCation)
Source Hardware Address
RD Acronyms
Source Hardware Addr (cont.) Source Protocol Address (1 = Recursion Desired)
AH Authentication Header (RFC 2402) ISAKMP Internet Security Association & Key Management
RA
Source Protocol Addr (cont.) Target Hardware Address ARP Address Resolution Protocol (RFC 826) Protocol (RFC 2408)
(1 = Recursion Available)
BGP Border Gateway Protocol (RFC 1771) L2TP Layer 2 Tunneling Protocol (RFC 2661)
Target Hardware Address (cont.) Z CWR Congestion Window Reduced (RFC 2481) NNTP Network News Transfer Protocol (RFC 977)
Target Protocol Address (Reserved; set to 0) DF Don't Fragment bit (IP) OSPF Open Shortest Path First (RFC 1583)
Response code DHCP Dynamic Host Configuration Protocol (RFC 2131) POP3 Post Office Protocol v3 (RFC 1460)
ARP Parameters (for Ethernet and IPv4) 0 No error DNS Domain Name System (RFC 1035) RFC Request for Comments
1 Format error ECN Explicit Congestion Notification (RFC 3168) RIP Routing Information Protocol (RFC 2453)
Hardware Address Type 2 Server failure
1 Ethernet
EIGRP Extended IGRP (Cisco) LDAP Lightweight Directory Access Protocol (RFC 2251)
3 Non-existant domain (NXDOMAIN)
6 IEEE 802 LAN ESP Encapsulating Security Payload (RFC 2406) SKIP Simple Key-Management for Internet Protocols
4 Query type not implemented
FTP File Transfer Protocol (RFC 959) SMTP Simple Mail Transfer Protocol (RFC 821)
Protocol Address Type 5 Query refused
GRE Generic Routing Encapsulation (RFC 2784) SNMP Simple Network Management Protocol (RFC 1157)
2048 IPv4 (0x0800) QDCOUNT HTTP Hypertext Transfer Protocol (RFC 1945) SSH Secure Shell
Hardware Address Length (No. of entries in Question section) ICMP Internet Control Message Protocol (RFC 792) SSL Secure Sockets Layer (Netscape)
6 for Ethernet/IEEE 802 ANCOUNT
IGMP Internet Group Management Protocol (RFC 2236) TCP Transmission Control Protocol (RFC 793)
(No. of resource records in Answer section)
Protocol Address Length IGRP Interior Gateway Routing Protocol (Cisco) TFTP Trivial File Transfer Protocol (RFC 1350)
4 for IPv4 NSCOUNT IMAP Internet Message Access Protocol (RFC 2060) TOS Type of Service field (IP)
(No. of name server resource records in Authority section) IP Internet Protocol (RFC 791) UDP User Datagram Protocol (RFC 768)
Operation
1 Request ARCOUNT All RFCs can be found at http://www.rfc-editor.org
2 Reply (No. of resource records in Additional Information section.
©SANS Institute May 2006
ICMP IP Header TCP Header
Bit Number Bit Number Bit Number
1111111111222222222233 1111111111222222222233 1111111111222222222233
01234567890123456789012345678901 01234567890123456789012345678901 01234567890123456789012345678901
Type Code Checksum Version IHL Type of Service Total Length Source Port Destination Port
Other message-specific information... Identification Flags Fragment Offset Sequence Number
Time to Live Protocol Header Checksum Acknowledgment Number
Type Name/Codes (Code=0 unless otherwise specified)
Source Address Offset Reserved Flags Window
0 Echo Reply (Header Length)
3 Destination Unreachable Destination Address Checksum Urgent Pointer
0 Net Unreachable
1 Host Unreachable Options (optional) Options (optional)
2 Protocol Unreachable
3 Port Unreachable
4 Fragmentation Needed & DF Set
IP Header Contents TCP Header Contents
5 Source Route Failed Version Common TCP Well-Known Server Ports
6 Destination Network Unknown 4 IP version 4 7 echo 110 pop3
7 Destination Host Unknown Internet Header Length 19 chargen 111 sunrpc
8 Source Host Isolated Number of 32-bit words in IP header; minimum 20 ftp-data 119 nntp
9 Network Administratively Prohibited value = 5 (20 bytes) & maximum value = 15 (60 bytes) 21 ftp-control 139 netbios-ssn
10 Host Administratively Prohibited 22 ssh 143 imap
11 Network Unreachable for TOS Type of Service (PreDTRCx) --> Differentiated Services 23 telnet 179 bgp
12 Host Unreachable for TOS Precedence (000-111) 000 25 smtp 389 ldap
13 Communication Administratively Prohibited D (1 = minimize delay) 0 53 domain 443 https (ssl)
4 Source Quench T (1 = maximize throughout) 0 79 finger 445 microsoft-ds
5 Redirect R (1 = maximize reliability) 0 80 http 1080 socks
0 Redirect Datagram for the Network C (1 = minimize cost) 1 = ECN capable
1 Redirect Datagram for the Host x (reserved and set to 0) 1 = congestion experienced Offset
2 Redirect Datagram for the TOS & Network Total Length Number of 32-bit words in TCP header; minimum value = 5
3 Redirect Datagram for the TOS & Host Number of bytes in packet; maximum length = 65,535
Reserved
8 Echo Flags (xDM) 4 bits; set to 0
9 Router Advertisement x (reserved and set to 0)
10 Router Selection D (1 = Don't Fragment) Flags (CEUAPRSF)
11 Time Exceeded M (1 = More Fragments)
0 Time to Live exceeded in Transit ECN bits (used when ECN employed; else 00)
1 Fragment Reassembly Time Exceeded Fragment Offset CWR (1 = sender has cut congestion window in half)
12 Parameter Problem Position of this fragment in the original datagram, ECN-Echo (1 = receiver cuts congestion window in half)
0 Pointer indicates the error in units of 8 bytes
U (1 = Urgent pointer valid)
1 Missing a Required Option Protocol A (1 = Acknowledgement field value valid)
2 Bad Length 1 ICMP 17 UDP 57 SKIP P (1 = Push data)
13 Timestamp 2 IGMP 47 GRE 88 EIGRP R (1 = Reset connection)
14 Timestamp Reply 6 TCP 50 ESP 89 OSPF S (1 = Synchronize sequence numbers)
15 Information Request 9 IGRP 51 AH 115 L2TP F (1 = no more data; Finish connection)
16 Information Reply
Header Checksum
17 Address Mask Request Checksum
Covers IP header only
18 Address Mask Reply Covers pseudoheader and entire TCP segment
30 Traceroute Addressing
NET_ID RFC 1918 PRIVATE ADDRESSES Urgent Pointer
0-127 Class A 10.0.0.0-10.255.255.255 Points to the sequence number of the byte
128-191 Class B 172.16.0.0-172.31.255.255 following urgent data.
PING (Echo/Echo Reply) 192-223 Class C 192.168.0.0-192.168.255.255
Bit Number 224-239 Class D (multicast) Options
240-255 Class E (experimental) 0 End of Options list 3 Window scale
1111111111222222222233 HOST_ID 1 No operation (pad) 4 Selective ACK ok
01234567890123456789012345678901 0 Network value; broadcast (old) 2 Maximum segment size 8 Timestamp
255 Broadcast
Type (8 or 0) Code (0) Checksum
Options (0-40 bytes; padded to 4-byte boundary)
Identifier Sequence Number 0 End of Options list 68 Timestamp
1 No operation (pad) 131 Loose source route
Data... 7 Record route 137 Strict source route