ECSAv4 Module 03 TCP IP Packet Analysis_NoRestriction
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
All Rights Reserved. Reproduction is Strictly Prohibited.
Transmission Control Protocol (TCP)
User Datagram Protocol (UDP)
Internet Layer
The purpose of the Internet layer is to select the best path through the The purpose of the Internet layer is to select the best path through the network for packets to travel.
Internet Layer
I t t P t l Internet Control Address Reverse Address Internet Protocol (IP)
All Rights Reserved. Reproduction is Strictly Prohibited.
layer in the OSI model does.
TCP
Transmission Control Protocol (TCP) is a connection oriented four layer Transmission Control Protocol (TCP) is a connection-oriented four layer protocol.
It is responsible for breaking messages into segments, reassembling them at the destination station, resending.
The protocols that use TCP include:
FTP (File Transfer Protocol)• FTP (File Transfer Protocol).• HTTP (Hypertext Transfer Protocol).• SMTP (Simple Mail Transfer Protocol). • Telnet.
All Rights Reserved. Reproduction is Strictly Prohibited.
• DNS (Domain Name System).
TCP and UDP Port Numbers
Both TCP and UDP use port (socket) numbers to pass information to the p ( ) pupper layers.
Port numbers are used to keep track of different conversations crossing the network at the same timethe network at the same time.
Port numbers have the following assigned ranges:
• Numbers below 1024 are considered well-known port numbers.• Numbers above 1024 are dynamically assigned port numbers.• Registered port numbers are those registered for vendor-specific • Registered port numbers are those registered for vendor specific
All Rights Reserved. Reproduction is Strictly Prohibited.
Port Numbers
Conversations that do not involve an application with a well-known port number are, instead, assigned port numbers that are randomly selected from within a specific range.instead, assigned port numbers that are randomly selected from within a specific range.
These port numbers are used as source and destination addresses in the TCP segment.
Some ports are reserved in both TCP and UDP, although applications might not be written to support them.
Port numbers have the following assigned ranges:
Numbers below 255 are reserved for public applications.
Numbers from 255-1023 are assigned to companies for marketable applications.
All Rights Reserved. Reproduction is Strictly Prohibited.
pp
IANA
The well-known ports are assigned by the IANA and on most systems can l b d b ( ) b d b only be used by system (or root) processes or by programs executed by
privileged users.
The registered ports are listed by the IANA and on most systems can be used by ordinary user processes or programs executed by ordinary users.
The IANA registers uses of these ports as a convenience to the community.
The range for assigned ports managed by the IANA is 0-1023.
All Rights Reserved. Reproduction is Strictly Prohibited.
Source Port = 23 (telnet)
What Makes Each Connection Unique?Unique?
A connection is defined by the pair of numbers:numbers:
• Source IP address, source porti i dd d i i• Destination IP address, destination
port
Different connections can use the same Different connections can use the same destination port on server host as long as the source ports or source IPs are different.
All Rights Reserved. Reproduction is Strictly Prohibited.
use of bandwidth.
Simple Windowing (cont’d)(cont d)
TCP window size:
TCP uses a window size, number of bytes, that the receiver is willing to accept, and is usually controlled by the receiving process.
C i l k l d hi h h h k l d TCP uses expectational acknowledgments, which means that the acknowledgment number refers to the next byte that the sender of the acknowledgement expects to receive.
A larger window size allows more data to be transmitted pending acknowledgment.A larger window size allows more data to be transmitted pending acknowledgment.
N tNote:The sequence number being sent identifies the first byte of data in that segment.
All Rights Reserved. Reproduction is Strictly Prohibited.
Simple Windowing (cont’d)
TCP full-duplex service: independent data flows
TCP provides full-duplex service, which means data can be flowing in each direction, independent of the other direction.
Window sizes, sequence numbers, and acknowledgment numbers are independent of each other’s data flow.
Receiver sends acceptable window size to sender during each segment transmission (flow control):
• If too much data is sent, the acceptable window size is reduced. If too much data is sent, the acceptable window size is reduced. • If more data can be handled, the acceptable window size is increased.
This is known as a Stop-and-Wait windowing protocol.
All Rights Reserved. Reproduction is Strictly Prohibited.
The receiver sends acknowledgements as its TCP receiving buffer empties.
Sliding Windows (cont’d)
The terms used to describe the movement of the left and right edges of thisThe terms used to describe the movement of the left and right edges of thissliding window are:
The left edge closes (moves to the right) when data is sent andacknowledged.
The right edge opens (moves to the right) allowing more data tobe sent. This happens when the receiver acknowledges a certainnumber of bytes received.
The middle edge opens (moves to the right) as data is sent, but notyet acknowledged.
Host B gives Host A a window size of 6 (octets or bytes).
Host A begins by sending octets to Host B: octets 1, 2, and 3 and slides its window over showing it has sent those 3 octets.
Host A will not increase its usable window size by 3, until it receives an acknowledgment y 3, gfrom Host B that it has received some or all of the octets.
Host B, not waiting for all of the 6 octets to arrive, after receiving the third octet sends an expectational acknowledgement of “4” to Host A.
All Rights Reserved. Reproduction is Strictly Prohibited.
Note: The left edge closes (moves to the right) when data is sent and acknowledged.
1 2 3 4 5 6 7 8 9 10 11 12 13
Host B - Receiver
Host A - Sender
1 2 3 4 5 6 7 8 9 10 11 12 13
1 2 3 4 5 6 7 8 9 10 11 12 13
123
Octets sent Usable Window
Window size = 6
1 2 3 4 5 6 7 8 9 10 11 12 13
3
ACK 4
45
1 2 3 4 5 6 7 8 9 10 11 12 13
Not ACKed Can send ASAP
1 2 3 4 5 6 7 8 9 10 11 12 13
5
1 2 3 4 5 6 7 8 9 10 11 12 13
ACK 6
Host A does not have to wait for an acknowledgement from Host B to keep sending data, not until the window size reaches the window size of 6, so it sends octets 4 and 5.
Host A receives the acknowledgement of ACK 4 and can now slide its window over to equal 6 octets, 3 octets sent – not ACKed plus 3 octets, which can be sent ASAP.
All Rights Reserved. Reproduction is Strictly Prohibited.
Note: The right edge opens (moves to the right) allowing more data to be sent. This happens when the receiver acknowledges a certain number of bytes received.
All Rights Reserved. Reproduction is Strictly Prohibited.
Sequencing Numbers (cont’d)
The receiver can interpret the arrangement of data segments by following the sequence number from the receiver.
The sequencing number helps the receiver to cross check whether the data transfer is successfultransfer is successful.
Sequencing number helps the sender to retransmit the data in case there is an Sequencing number helps the sender to retransmit the data in case there is an error in the data transfer.
All Rights Reserved. Reproduction is Strictly Prohibited.
Firewalls and Packet Filtering
Packet filtering:
• Is a process of controlling network traffic by checking every transmitting packet against a predefined security policy.
• Uses rules based on source and destination addresses but there is a • Uses rules based on source and destination addresses, but there is a restricted scope for some of the IPv6 addresses.
• Basic IP filtering is still in wide use at the border of networks.
• Firewall is an IP packet filter that enforces filtering and security
IPv6 firewalling:
policies to the flowing network traffic.• Using firewalls in IPv6 is still a best way of protection from low level
All Rights Reserved. Reproduction is Strictly Prohibited.
Internet
Router
Protected Network
Firewalls and Packet Filtering (cont’d)(cont d)
“Internet firewall/router(edge device) net • “Internet-firewall/router(edge device)-net architecture”: This order can be powerful for routing and security policy.
All Rights Reserved. Reproduction is Strictly Prohibited.
This ability of removing a host from the network for at least 75 seconds can be used as a DoS attack.
UDP Operation
UDP does not use windowing or acknowledgments so application layer protocols must provide error detectionprovide error detection.
The Source Port field is an optional field used only if information needs to return to the sending host.
When a destination router receives a routing update, the source router is not requesting anything so nothing needs to return to the source.
This is regarding only RIP updates:BGP uses TCP, IGRP is sent directly G uses C , G s se t d ect y over IP.EIGRP and OSPF are also sent directly over IP with their own way of handling reliability
All Rights Reserved. Reproduction is Strictly Prohibited.
Internet Control Message Protocol (ICMP)Protocol (ICMP)
IP is an unreliable method for delivery of network dataIP is an unreliable method for delivery of network data.
IP does not notify the sender for failed data transmissionIP does not notify the sender for failed data transmission.
Internet Control Message Protocol (ICMP) is the component of the TCP/IP l k h dd hi b i li i i f IPprotocol stack that addresses this basic limitation of IP.
ICMP does not overcome the unreliability issues in IP.ICMP does not overcome the unreliability issues in IP.
Reliability must be provided by upper layer protocols (TCP or the application) if it i i d
All Rights Reserved. Reproduction is Strictly Prohibited.
Information Request16 Information Reply
40 Photuris41-255 Reserved
Format of an ICMP Message (cont’d)(cont d)
Code Field
Type 3: Destination Unreachable
Codes0 Net Unreachable0 Net Unreachable1 Host Unreachable2 Protocol Unreachable 3 Port Unreachable4 Fragmentation Needed and Don't Fragment was Set 5 Source Route Failed 6 Destination Network Unknown 7 Destination Host Unknown 8 Source Host Isolated 9 Communication with Destination Network is Administratively Prohibited9 Communication with Destination Network is Administratively Prohibited10 Communication with Destination Host is Administratively Prohibited11 Destination Network Unreachable for Type of Service12 Destination Host Unreachable for Type of Service 13 Communication Administratively Prohibited
All Rights Reserved. Reproduction is Strictly Prohibited.
Unreachable Networks (cont’d)(cont d)
Sending de ice ma address the datagram to a non e istent IP
Examples of problems:
• Sending device may address the datagram to a non-existent IP address
• Destination device that is disconnected from its network• Router’s connecting interface is down g• Router does not have the information necessary to find the
All Rights Reserved. Reproduction is Strictly Prohibited.
Destination Unreachable MessageMessage
If datagrams cannot always be forwarded to their destinations, ICMP delivers b k h d d i i h bl i di i h d back to the sender a destination unreachable message indicating to the sender that the datagram could not be properly forwarded.
A destination unreachable message may also be sent when packet fragmentation is required in order to forward a packet:
• Fragmentation is usually necessary when a datagram is forwarded from a token-ring network to an Ethernet network.
• If the datagram does not allow fragmentation, the packet cannot be forwarded, so a destination nreachable message ill be sentdestination unreachable message will be sent.
Destination unreachable messages may also be generated if IP-related services such as FTP or web services are unavailable
All Rights Reserved. Reproduction is Strictly Prohibited.
ICMP Redirects
Type = 5 Code = 0 to 3
ICMP Redirect
Type = 5 Code = 0 to 3
Default gateways only sends ICMP redirect/change request messages if the following conditions are met:
• The interface on which the packet comes into the router is the same interface on which the packet gets routed out.
• The subnet/network of the source IP address is the same subnet/network of the next-hop IP address of the routed packetsubnet/network of the next hop IP address of the routed packet.
• The datagram is not source-routed.• The route for the redirect is not another ICMP redirect or a default
All Rights Reserved. Reproduction is Strictly Prohibited.
• The router is configured to send redirects.
Clock Synchronization and Transit Time EstimationTransit Time Estimation
ICMP Timestamp Request
Replaced by
The TCP/IP protocol suite allows systems to connect to one another over vast distances through multiple
Type = 13 or 14
The TCP/IP protocol suite allows systems to connect to one another over vast distances through multiple networks.
Each of these individual networks provides clock synchronization in its own way.
As a result, hosts on different networks who are trying to communicate using software that requires time synchronization can sometimes encounter problems.
The ICMP timestamp message type is designed to help alleviate this problemThe ICMP timestamp message type is designed to help alleviate this problem.
The ICMP timestamp request message allows a host to ask for the current time according to the remote host.
All Rights Reserved. Reproduction is Strictly Prohibited.
The remote host uses an ICMP timestamp reply message to respond to the request.
Clock Synchronization and Transit Time EstimationTransit Time Estimation
All ICMP timestamp reply messages contain the originate receive and transmit timestampsAll ICMP timestamp reply messages contain the originate, receive, and transmit timestamps.
Using these three timestamps, the host can estimate transit time across the network by subtracting the originate time from the transit time.subtracting the originate time from the transit time.
It is only an estimate however, as true transit time can vary widely based on traffic and congestion on the network.
The host that originated the timestamp request can also estimate the local time on the remote computer.
While ICMP timestamp messages provide a simple way to estimate time on a remote host and total network transit time, this is not the best way to obtain this information.
Instead more robust protocols such as Network Time Protocol (NTP) at the upper layers
All Rights Reserved. Reproduction is Strictly Prohibited.
Instead, more robust protocols such as Network Time Protocol (NTP) at the upper layers of the TCP/IP protocol stack perform clock synchronization in a more reliable manner.
Information Requests and Reply Message FormatsReply Message Formats
ICMP Information Request/Reply
The ICMP information requests and reply messages
Type = 15 or 16Replaced by
The ICMP information requests and reply messages were originally intended to allow a host to determine its network number.
This particular ICMP message type is considered obsolete.
Other protocols, such as BOOTP and Dynamic Host Configuration Protocol (DHCP), are now used to allow
All Rights Reserved. Reproduction is Strictly Prohibited.
an address mask reply.
Router Solicitation and AdvertisementAdvertisement
Type = 10
ICMP Router Solicitation
ICMP Router Advertisement
Type = 9Replaced by
When a host on the network boots, and the host has not been manually configured with a default gateway, it can learn of available routers through the process of router discovery.
p y
y
This process begins with the host sending a router solicitation message to all routers, using the multicast address 224.0.0.2 as the destination address (may also be broadcast).
When a router that supports the discovery process receives the router discovery message, a router