ECSAv4 Module 03 TCP IP Packet Analysis_NoRestriction

Advanced P t ti T ti Penetration Testing

and Security Analysis

Module 033TCP/IP Packet

Analysis

Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

Module Objective

This module will familiarize you with:

• TCP/IP Model• Comparing OSI and TCP/IP

This module will familiarize you with:

Comparing OSI and TCP/IP• Addressing• Subnetting• IPv4 and IPv6• Windowing• TCP/IP Protocols• TCP and UDP Port Numbers

i• TCP Operation• Sequencing Numbers• UDP Operation• ICMP and ICMP Control Messages



• ICMP and ICMP Control Messages

As a Security Analyst, you must have complete mastery over TCP/IP protocol.

This module covers the technical aspects of TCP/IP protocol. This module covers the technical aspects of TCP/IP protocol.



TCP/IP Model

The TCP/IP model has four layers:

Application layer

Transport layer

Internet layer

Network Access layer



Application Layer

The application layer of the TCP/IP model handles high-level protocols, i f t ti di d di l t lissues of representation, encoding, and dialog control.

Application Layer

File Transfer EmailRemote Login

Network Management

Name Management

TFTP SMTP Telnet SNMP DNS

FTP rlogin



NFS

Transport Layer

The transport layer provides transport services from the source host to the destination hostdestination host.

The transport layer constitutes a logical connection between the endpoints of the network, the sending host and the receiving host.

End-to-end control is the primary duty of the transport layer when using TCP.

Transport Layer

Transmission Control User Datagram Protocol



Transmission Control Protocol (TCP)

User Datagram Protocol (UDP)

Internet Layer

The purpose of the Internet layer is to select the best path through the The purpose of the Internet layer is to select the best path through the network for packets to travel.

Internet Layer

I t t P t l Internet Control Address Reverse Address Internet Protocol (IP)

Internet Control Message Protocol

(ICMP)

Address Resolution

Protocol (ARP)

Reverse Address Resolution

Protocol (RARP)



Network Access Layer

The network access layer is also called the host-to-network layer. y y

It includes the LAN and WAN technology details.

Network

Address

EthernetFast

EthernetSLIP & PPP FDDI

ATM, Frame Relay & SMDS

ARP Proxy ARP RARP



Comparing OSI and TCP/IP

OSI MODEL TCP/IP MODEL

PRESENTATION LAYER

APPLCATION LAYER

APPLICATION LAYERLAYER LAYER

SESSION LAYER

TRANSPORT LAYER

NETWORK LAYER

TRANSPORT LAYER

INTERNET LAYERNETWORK LAYER

Data Link LAYER

INTERNET LAYER

NETWORK



PHYSICAL LAYER

NETWORK ACCESS LAYER

Comparing OSI and TCP/IP (cont’d)(cont d)

Both have application layers, •TCP/IP combines the presentation though they include very different services.

and session layer into its application layer.

•Combines the data link and physical layer into the network access layer.

Both have comparable transport TCP/IP appears simpler because it Both have comparable transport and network layers.

TCP/IP appears simpler because it has fewer layers.

Packet switched not circuit TCP/IP transport layer using UDP Packet-switched, not circuit-switched, technology is assumed.

TCP/IP transport layer using UDP does not always guarantee reliable delivery of packets as the transport layer in the OSI model does.



layer in the OSI model does.

TCP

Transmission Control Protocol (TCP) is a connection oriented four layer Transmission Control Protocol (TCP) is a connection-oriented four layer protocol.

It is responsible for breaking messages into segments, reassembling them at the destination station, resending.

The protocols that use TCP include:

FTP (File Transfer Protocol)• FTP (File Transfer Protocol).• HTTP (Hypertext Transfer Protocol).• SMTP (Simple Mail Transfer Protocol). • Telnet.



TCP Header



IP Header



Protocol Field

IP Header: Protocol Field

C ti C tiConnection-oriented

Connectionless

Connectionless

The IP packet has a protocol field that specifies whether the segment is TCP or UDP.



UDP

User Datagram Protocol (UDP) is the connectionless transport protocol. g ( ) p p

It is a simple protocol that exchanges datagrams, without acknowledgments or guaranteed delivery.g g y

It uses no windowing or acknowledgments, so reliability if needed, is provided by application layer protocols.

( l l f l)

The protocols that use UDP include:

• TFTP (Trivial File Transfer Protocol). • SNMP (Simple Network Management Protocol). • DHCP (Dynamic Host Control Protocol). • DNS (Domain Name System)



• DNS (Domain Name System).

TCP and UDP Port Numbers

Both TCP and UDP use port (socket) numbers to pass information to the p ( ) pupper layers.

Port numbers are used to keep track of different conversations crossing the network at the same timethe network at the same time.

Port numbers have the following assigned ranges:

• Numbers below 1024 are considered well-known port numbers.• Numbers above 1024 are dynamically assigned port numbers.• Registered port numbers are those registered for vendor-specific • Registered port numbers are those registered for vendor specific

applications, most of these are above 1024.



Port Numbers

Conversations that do not involve an application with a well-known port number are, instead, assigned port numbers that are randomly selected from within a specific range.instead, assigned port numbers that are randomly selected from within a specific range.

These port numbers are used as source and destination addresses in the TCP segment.

Some ports are reserved in both TCP and UDP, although applications might not be written to support them.

Port numbers have the following assigned ranges:

Numbers below 255 are reserved for public applications.

Numbers from 255-1023 are assigned to companies for marketable applications.



Numbers above 1023 are unregulated.

Port Numbers

0 15 16 31

TCP Header

16-bit Source Port Number

16-bit Destination Port Number

32-bit Sequence Number

32 bit Acknowledgement Number

4-bit Header Length

6-bit (Reserved)

URG

ACK

PSH

RST

SYN

FIN

16-bit Window Size

16-bit TCP Checksum

16-bit Urgent Pointer

Options (if any)

Data (if any)

• Originating source port numbers, usually a value larger than 1023, are dynamically assigned by the source host.

End systems use port numbers to select the proper

application:



pp

IANA

The well-known ports are assigned by the IANA and on most systems can l b d b ( ) b d b only be used by system (or root) processes or by programs executed by

privileged users.

The registered ports are listed by the IANA and on most systems can be used by ordinary user processes or programs executed by ordinary users.

The IANA registers uses of these ports as a convenience to the community.

The range for assigned ports managed by the IANA is 0-1023.



g g p g y

Source and Destination Port NumbersPort Numbers

Notice the difference in how source and destination port numbers are used with clients and servers:

Cli tClient:

Destination Port = 23 (telnet)

Source Port = 1028 (dynamically assigned)

Server:

Destination Port = 1028 (source port of client)

S P t (t l t)



Source Port = 23 (telnet)

What Makes Each Connection Unique?Unique?

A connection is defined by the pair of numbers:numbers:

• Source IP address, source porti i dd d i i• Destination IP address, destination

port

Different connections can use the same Different connections can use the same destination port on server host as long as the source ports or source IPs are different.



Source IPTCP or UDP Source Port

Destination IPDestination P t

Connection State

Port

www.google.com

www.cisco.com

netstat command

Note: In actuality, when you open up a single web page, there are usually several TCP sessions created, not just one.

netstat command



Example of multiple TCP connections for a single HTTP session is as follows:

Application Header + data


Port numbers are used to know which application the receiving pp ghost should pass the “Data” to.



TCP Operation

IP is a best effort deliveryIP is a best effort delivery.

The transport layer (TCP) is responsible for reliability and flow control p y ( ) p yfrom source to destination.

• Sliding windows (flow control).• Sequencing numbers and acknowledgments This is accomplished

(reliability).• Synchronization (establish a virtual circuit).

using:



Three-Way Handshake

TCP requires connection establishment before data transfer begins.

For a connection to be established or initialized, the two hosts must synchronize.

The synchronization requires each side to send its own initial sequence number and to receive a confirmation of

This exchange is called athree-way handshake.



exchange in an acknowledgment (ACK) from the other side.

y


IP Protocol Field = 17





Flow Control

Flow control avoids the problem of a transmitting host overflowing the buffers in the receiving host.

TCP provides the mechanism for flow control by allowing the sending p y g gand receiving host to communicate.

The two hosts then establish a data-transfer rate that is agreeable to both.



Windowing

Windowing is a flow-control mechanism.

Windowing requires that the source device

i receive an acknowledgment from the destination after transmitting a certain

f d



amount of data.

Windowing and Window Sizes

This is an example of simple windowingThis is an example of simple windowing.

Th i d i f t th b f b t The window size refers to the number of bytes that are transmitted before receiving an acknowledgment.

After a host transmits the window-size number of bytes, it must receive an acknowledgment before any more data can be sent.y

The window size determines how much data the i i i i



receiving station can accept at one time.

Simple Windowing

TCP is responsible for breaking data into TCP HeaderTCP is responsible for breaking data into segments.

0 15 16 31

16-bit Source Port Number

16-bit Destination Port Number

32 bit Sequence Number

With a window size of 1, each segment carries only one byte of data and must be acknowledged before another segment is transmitted.

32-bit Sequence Number

32 bit Acknowledgement Number

4-bit Header Length

6-bit (Reserved)

URG

ACK

PSH

RST

SYN

FIN

16-bit Window Size

The purpose of windowing is to improve flow control and reliability.

16-bit TCP Checksum

16-bit Urgent Pointer

Options (if any)

Data (if any)

With a window size of 1, there is very inefficient f b d idth



use of bandwidth.

Simple Windowing (cont’d)(cont d)

TCP window size:

TCP uses a window size, number of bytes, that the receiver is willing to accept, and is usually controlled by the receiving process.

C i l k l d hi h h h k l d TCP uses expectational acknowledgments, which means that the acknowledgment number refers to the next byte that the sender of the acknowledgement expects to receive.

A larger window size allows more data to be transmitted pending acknowledgment.A larger window size allows more data to be transmitted pending acknowledgment.

N tNote:The sequence number being sent identifies the first byte of data in that segment.



Simple Windowing (cont’d)

TCP full-duplex service: independent data flows

TCP provides full-duplex service, which means data can be flowing in each direction, independent of the other direction.

Window sizes, sequence numbers, and acknowledgment numbers are independent of each other’s data flow.

Receiver sends acceptable window size to sender during each segment transmission (flow control):

• If too much data is sent, the acceptable window size is reduced. If too much data is sent, the acceptable window size is reduced. • If more data can be handled, the acceptable window size is increased.

This is known as a Stop-and-Wait windowing protocol.



Acknowledgement

Positive acknowledgment with retransmission is one technique that guarantees reliable delivery of data.

It requires a recipient to communicate with the source and send back an

k l d h h dacknowledgment message when the data is received.

Segments that are not acknowledged within a given time period will result in a retransmission.



Sliding Windows

Usable WindowOctets sentWorking Window size

Usable WindowInitial Window size

Sliding window algorithms are a method of flow control for network data

Can send ASAPNot ACKedCan send ASAP

transfers using the receiver’s window size.

The sender computes its usable window, or up to how much data it can immediately send.

Over time, this sliding window moves to the right, as the receiver , g g ,acknowledges data.

Th i d k l d t it TCP i i b ff ti



The receiver sends acknowledgements as its TCP receiving buffer empties.

Sliding Windows (cont’d)

The terms used to describe the movement of the left and right edges of thisThe terms used to describe the movement of the left and right edges of thissliding window are:

The left edge closes (moves to the right) when data is sent andacknowledged.

The right edge opens (moves to the right) allowing more data tobe sent. This happens when the receiver acknowledges a certainnumber of bytes received.

The middle edge opens (moves to the right) as data is sent, but notyet acknowledged.



yet acknowledged.

1 2 3 4 5 6 7 8 9 10 11 12 13

Host A - Sender

Host B - Receiver

1 2 3 4 5 6 7 8 9 10 11 12 131 2 3 4 5 6 7 8 9 10 11 12 13

1

2

Host B - Receiver

Octets received

1 2 3 4 5 6 7 8 9 10 11 12 13

3

ACK 4

Octets sent

Not ACKed

Usable Window

Can send ASAP

Window size = 6 Octets received

Host B gives Host A a window size of 6 (octets or bytes).

Host A begins by sending octets to Host B: octets 1, 2, and 3 and slides its window over showing it has sent those 3 octets.

Host A will not increase its usable window size by 3, until it receives an acknowledgment y 3, gfrom Host B that it has received some or all of the octets.

Host B, not waiting for all of the 6 octets to arrive, after receiving the third octet sends an expectational acknowledgement of “4” to Host A.



Note: The left edge closes (moves to the right) when data is sent and acknowledged.

1 2 3 4 5 6 7 8 9 10 11 12 13

Host B - Receiver

Host A - Sender

1 2 3 4 5 6 7 8 9 10 11 12 13

1 2 3 4 5 6 7 8 9 10 11 12 13

123

Octets sent Usable Window

Window size = 6

1 2 3 4 5 6 7 8 9 10 11 12 13

3

ACK 4

45

1 2 3 4 5 6 7 8 9 10 11 12 13

Not ACKed Can send ASAP

1 2 3 4 5 6 7 8 9 10 11 12 13

5

1 2 3 4 5 6 7 8 9 10 11 12 13

ACK 6

Host A does not have to wait for an acknowledgement from Host B to keep sending data, not until the window size reaches the window size of 6, so it sends octets 4 and 5.

Host A receives the acknowledgement of ACK 4 and can now slide its window over to equal 6 octets, 3 octets sent – not ACKed plus 3 octets, which can be sent ASAP.



Note: The right edge opens (moves to the right) allowing more data to be sent. This happens when the receiver acknowledges a certain number of bytes received.

1 2 3 4 5 6 7 8 9 10 11 12 13 1 2 3 4 5 6 7 8 9 10 11 12 13

Host B - ReceiverHost A - Sender

1 2 3 4 5 6 7 8 9 10 11 12 13

1

2Octets sent Usable Window

Window size = 6

1 2 3 4 5 6 7 8 9 10 11 12 13

3

ACK 4

4

1 2 3 4 5 6 7 8 9 10 11 12 13

Not ACKed Can send ASAP

1 2 3 4 5 6 7 8 9 10 11 12 13

45

1 2 3 4 5 6 7 8 9 10 11 12 13

ACK 61 2 3 4 5 6 7 8 9 10 11 12 13

76

8

1 2 3 4 5 6 7 8 9 10 11 12 13

1 2 3 4 5 6 7 8 9 10 11 12 131 2 3 4 5 6 7 8 9 10 11 12 13



98

1 2 3 4 5 6 7 8 9 10 11 12 13

Sequencing Numbers

This is only if one octet was

The transferred data segments must be reassembled at the receiver end after successful transfer of data.

sent at a time.

There is no guarantee that the data will arrive i th d it t itt din the order it was transmitted.

TCP applies sequence numbers to the data segments.



Sequencing Numbers (cont’d)

The receiver can interpret the arrangement of data segments by following the sequence number from the receiver.

The sequencing number helps the receiver to cross check whether the data transfer is successfultransfer is successful.

Sequencing number helps the sender to retransmit the data in case there is an Sequencing number helps the sender to retransmit the data in case there is an error in the data transfer.



Packet 1: source: 130.57.20.10 dest.:130.57.20.1TCP: ----- TCP header -----

TCP: Source port = 1026TCP: Destination port = 524TCP: Initial sequence number = 12952

Sequencing Numbers (cont’d)TCP: Initial sequence number = 12952

TCP: Next expected Seq number= 12953TCP: .... ..1. = SYNTCP: Window = 8192TCP: Checksum = 1303 (correct)TCP M i t i 1460 (TCP O ti )

Numbers (cont d)

TCP: Maximum segment size = 1460 (TCP Option)

Packet 2: source: 130.57.20.1 dest: 130.57.20.10TCP: ----- TCP header -----

TCP: Source port = 524TCP: Destination port = 1026TCP: Initial sequence number = 2744080TCP: Next expected Seq number= 2744081TCP: Acknowledgment number = 12953TCP: .... ..1. = SYNTCP: Window = 32768

O l i f h C

TCP: Checksum = D3B7 (correct)TCP: Maximum segment size = 1460 (TCP Option)

Packet 3: source: 130.57.20.10 dest: 130.57.20.1TCP: ----- TCP header -----

Only portions of the TCP headers are displayed.

TCP: Source port = 1026TCP: Destination port = 524TCP: Sequence number = 12953TCP: Next expected Seq number= 12953TCP: Acknowledgment number = 2744081



TCP: Acknowledgment number = 2744081TCP: ...1 .... = AcknowledgmentTCP: Window = 8760TCP: Checksum = 493D (correct)TCP: No TCP options

Synchronization

For a connection to be established, the two end stations must synchronize with each other'si iti l TCP b (ISN )initial TCP sequence numbers (ISNs).

Sequence numbers are used to track the order of packets and to ensure that no packets arelost in transmission.

The initial sequence number is the starting number used when a TCP connection isestablished.

h i i i l h f b d i h i



The initial exchange of sequence numbers during the connection sequence ensures recoveryof lost data.

Positive Acknowledgment and Retransmission (PAR)Retransmission (PAR)

PAR: The source sends a packet, starts a timer, and waits for an acknowledgment before sending the next packet.

If the timer expires before the source receives an acknowledgment, the t it th k t d t t th tisource retransmits the packet and restarts the timer.

TCP uses expectational acknowledgments in which the acknowledgment number refers to the next octet that is expected.



What is Internet Protocol v6 (IPv6)?(IPv6)?

IPv6 provides a base for enhanced Internet functionalitiesIPv6 provides a base for enhanced Internet functionalities.

Also called as IPng or next generation protocolAlso called as IPng, or next generation protocol.

• Expandable address space

Purpose of IPv6:

Expandable address space• Overcomes the issues in IPV4• Scalable to new users and new services



Why IPv6?

IPV6 provides flexibility for further growth and expansion of IT IPV6 provides flexibility for further growth and expansion of IT development.

Th f ll i h f h id f b

• Address space (large and diverse)

The following are the factors that provide a stage for above growth:

Address space (large and diverse)• Auto configuration ability (plug-n-play)• Mobility (improves mobility model)• End-to-end security (high comfort factor)• Extension headers (offer enormous potential)



IPv6 Header



Features of IPv6

Expanded addressing and routing capabilities

Simplified header format

E t i h dExtension headers

Security

Authentication and privacy

Auto-configurationg

Support for source demand routing protocol



Quality of Service (QoS)

IPv4/IPv6 Transition MechanismsMechanisms

There are three transition mechanisms available to deploy IPv6 on k

Th t iti b d i bi ti

IPv4 networks.

The transitions can be used in any combination:

D l t k B d th DNS l it IPV4 IPV6Dual stacks: Based on the DNS value, it uses IPV4 or IPV6.

Tunneling: It encapsulates IPv6 packets in IPv4 packetsTunneling: It encapsulates IPv6 packets in IPv4 packets.

Translation: NAT-PT and SIIT are used to enable IPv6 host to i t ith IP h t



communicate with an IPv4 host.

IPv4/IPv6 Transition Mechanisms (cont’d)Mechanisms (cont d)



IPv6 Security Issues

• IPv6-IPv4 dual stacks increase the potential for security vulnerabilities.

Dual-stack related issues:

• Using extension headers and IPsec can deter Header manipulation Using extension headers and IPsec can deter some header manipulation-based attacks.

pissues:

• Scanning in IPv6 networks for valid host addresses is difficult.Flooding issues:



Security Flaws in IPv6

• With the advanced network discovery of IPv6, it becomes easy for an attacker to get information from any remote networks.

Trespassing:

• There are chances of attackers hiding traffic due to the variation in DMZ protection for

Bypassing filtering d i

due to the variation in DMZ protection for IPv6 traffic.devices:

• There are possibilities of DoS attacks while using the same links for sending and receiving IPv6 packets.

Denial-of-service (DoS)



Security Flaws in IPv6 (cont’d)

• The routing header 0 (zero) feature of IPv6 can single out all instances of anycast services that works with the same IP on the Internet

Anycast (no longer safe): that works with the same IP on the Internet.)

• Enabling IPv6 may be vulnerable to:• The IPv4 network and devices.• Security devices.IPv6 puts IPv4 at risk:• Operating systems.• Applications.



IPv6 Infrastructure Security

DNS issues: Mobile IP:

Performance may be affected due to the IPv6’s improper

Need for authenticated, d i i t ti

p pconfiguration and use

dynamic registration

IPv6 has less impact on DNS Security

Firewalls need to control use of routing and home address headers



IPsec

IP security, or IPsec, is a framework of open standards developed by the Internet Engineering Task Force (IETF)Engineering Task Force (IETF).

IPsec provides secure transmission of sensitive data over unprotected medium, like the Internet.

From the network layer, IPsec protects and authenticates IP packets.

• Data confidentiality

Network security services that IPsec provides are:

• Data confidentiality.• Data integrity.• Data origin authentication.• Anti-replay.



Firewalls and Packet Filtering

Packet filtering:

• Is a process of controlling network traffic by checking every transmitting packet against a predefined security policy.

• Uses rules based on source and destination addresses but there is a • Uses rules based on source and destination addresses, but there is a restricted scope for some of the IPv6 addresses.

• Basic IP filtering is still in wide use at the border of networks.

• Firewall is an IP packet filter that enforces filtering and security

IPv6 firewalling:

policies to the flowing network traffic.• Using firewalls in IPv6 is still a best way of protection from low level

attacks at network and transport layers.



Firewalls and Packet Filtering (cont’d)(cont d)

• “Internet-router-firewall-net hi ” hi d i ibl if h IP 6 fi ll architecture”: This order is compatible if the

firewall is ready for distinguishing IPv6.IPv6 firewall usage 1:

Firewall

Internet

Router

Protected Network

• “Internet-firewall-router-net architecture”: This order cannot handle routing protocols properly.IPv6 firewall usage 2:

Firewall



Internet

Router

Protected Network

Firewalls and Packet Filtering (cont’d)(cont d)

“Internet firewall/router(edge device) net • “Internet-firewall/router(edge device)-net architecture”: This order can be powerful for routing and security policy.

IPv6 firewall usage 3:

Firewall + Router

Internet Protected Network



Denial-of-Service (DoS) Attacks

A DoS attack is a common method used by attackers to disrupt system response.

SYN flooding is a type of DoS attack.

SYN flooding exploits the normal three-way handshake.

Malicious flooding by large volumes of TCP SYN packets to the victim’s system with spoofed



Malicious flooding by large volumes of TCP SYN packets to the victim s system with spoofed source IP addresses can cause a DoS.

DoS SYN Flooding Attack

A DoS SYN flooding attack takes advantage of a flaw in how most hosts implement the TCP three-way handshake.

B Aimplement the TCP three way handshake.

When Host B receives the SYN request from A, it must keep track of the partially-opened connection in a "listen queue" for at least 75 seconds.

Normal connectionestablishment

When Host B receives the SYN request from A, it must keep track of the partially-opened connection in a "listen queue" for at least 75 seconds.

A malicious host can exploit the small size of the listen queue by sending multiple SYN requests to a host, but never replying to the SYN&ACK.

SYN Flooding

The victim’s listen queue is quickly filled up.

hi bili f i h f h k f l d



This ability of removing a host from the network for at least 75 seconds can be used as a DoS attack.

UDP Operation

UDP does not use windowing or acknowledgments so application layer protocols must provide error detectionprovide error detection.

The Source Port field is an optional field used only if information needs to return to the sending host.

When a destination router receives a routing update, the source router is not requesting anything so nothing needs to return to the source.

This is regarding only RIP updates:BGP uses TCP, IGRP is sent directly G uses C , G s se t d ect y over IP.EIGRP and OSPF are also sent directly over IP with their own way of handling reliability



reliability.

UDP Operation (cont’d)



IP Header Protocol Field

IP Header 0 15 16 31

4-bit Version

4-bit Header Length

8-bit Type Of Service (TOS)

16-bit Total Length (in bytes)

16 bit Identification

3-bit Flags

13 bit Fragment Offset16-bit Identification

Flags 13-bit Fragment Offset

8 bit Time To Live

TTL

8-bit Protocol

16-bit Header Checksum

32-bit Source IP Address

32-bit Destination IP Address

Options (if any)

Data



Internet Control Message Protocol (ICMP)Protocol (ICMP)

IP is an unreliable method for delivery of network dataIP is an unreliable method for delivery of network data.

IP does not notify the sender for failed data transmissionIP does not notify the sender for failed data transmission.

Internet Control Message Protocol (ICMP) is the component of the TCP/IP l k h dd hi b i li i i f IPprotocol stack that addresses this basic limitation of IP.

ICMP does not overcome the unreliability issues in IP.ICMP does not overcome the unreliability issues in IP.

Reliability must be provided by upper layer protocols (TCP or the application) if it i i d



is required.

Error Reporting and Error CorrectionCorrection

When datagram delivery errors occur, ICMP reports the following errors back to the source of the datagram:

Workstation 1 sends a datagram to Workstation 6

back to the source of the datagram:

Router C then utilizes ICMP to send a message back to Workstation

Fa0/0 on Router C goes down

X

ICMP does not correct the encountered network problem

Router C then utilizes ICMP to send a message back to Workstation 1 indicating that the datagram could not be delivered

X

sourcedestination

ICMP msg

Router C knows only the source and destination IP addresses of the datagram



ICMP reports on the status of the delivered packet only to the source device

ICMP Message Delivery

ICMP messages are encapsulated into datagram.

It follows the same technique used by IP to deliver data. Subject to the same delivery failures as any IP k tpacket.

This creates a scenario where error reports could generate more error reports.

This causes increased congestion on an already ailing networkThis causes increased congestion on an already ailing network.

Errors created by ICMP messages do not generate their own ICMP messages.



Thus, it is possible to have a datagram delivery error that is never reported back to the sender of the data.

Format of an ICMP Message

Type Field

Type Name---- -------------------------

0 Echo Reply1 Unassigned

Type Name---- -------------------------17 Address Mask Request

2 Unassigned3 Destination Unreachable4 Source Quench5 Redirect6 Alt t H t Add

17 Address Mask Request18 Address Mask Reply19 Reserved (for Security)20-29 Reserved (for Robustness Experiment)30 Traceroute

6 Alternate Host Address7 Unassigned8 Echo9 Router Advertisement

10 Router Solicitation

31 Datagram Conversion Error32 Mobile Host Redirect33 IPv6 Where-Are-You34 IPv6 I-Am-Here35 Mobile Registration Request

11 Time Exceeded12 Parameter Problem13 Timestamp14 Timestamp Reply 15

Information Request

35 Mobile Registration Request36 Mobile Registration Reply37 Domain Name Request38 Domain Name Reply39 SKIP



Information Request16 Information Reply

40 Photuris41-255 Reserved

Format of an ICMP Message (cont’d)(cont d)

Code Field

Type 3: Destination Unreachable

Codes0 Net Unreachable0 Net Unreachable1 Host Unreachable2 Protocol Unreachable 3 Port Unreachable4 Fragmentation Needed and Don't Fragment was Set 5 Source Route Failed 6 Destination Network Unknown 7 Destination Host Unknown 8 Source Host Isolated 9 Communication with Destination Network is Administratively Prohibited9 Communication with Destination Network is Administratively Prohibited10 Communication with Destination Host is Administratively Prohibited11 Destination Network Unreachable for Type of Service12 Destination Host Unreachable for Type of Service 13 Communication Administratively Prohibited



14 Host Precedence Violation 15 Precedence cutoff in effect

Unreachable Networks

Network communication depends upon

S di d i i d i t h th

Network communication depends upon certain basic conditions being met:

• Sending and receiving devices must have the TCP/IP protocol stack properly configured:

• Proper configuration of IP address and subnet mask.

• A default gateway must also be configured if • A default gateway must also be configured if datagrams are to travel outside of the local network.

• A router also must have the TCP/IP protocol properly configured on its interfaces, and it must use an appropriate routing protocol.pp p g p

• If these conditions are not met, then network communication cannot take place.



Unreachable Networks (cont’d)(cont d)

Sending de ice ma address the datagram to a non e istent IP

Examples of problems:

• Sending device may address the datagram to a non-existent IP address

• Destination device that is disconnected from its network• Router’s connecting interface is down g• Router does not have the information necessary to find the

destination network



Destination Unreachable MessageMessage

If datagrams cannot always be forwarded to their destinations, ICMP delivers b k h d d i i h bl i di i h d back to the sender a destination unreachable message indicating to the sender that the datagram could not be properly forwarded.

A destination unreachable message may also be sent when packet fragmentation is required in order to forward a packet:

• Fragmentation is usually necessary when a datagram is forwarded from a token-ring network to an Ethernet network.

• If the datagram does not allow fragmentation, the packet cannot be forwarded, so a destination nreachable message ill be sentdestination unreachable message will be sent.

Destination unreachable messages may also be generated if IP-related services such as FTP or web services are unavailable



such as FTP or web services are unavailable.

ICMP Echo (Request) and Echo ReplyReply

Echo = Type 8c o ype 8Echo Reply = Type 0

Ethernet Header IP Header ICMP Message EtherEthernet Header (Layer 2)

IP Header(Layer 3)

ICMP Message (Layer 3)

Ether.Tr.

Ethernet Destination Address (MAC)

Ethernet Source Address (MAC)

FrameType

Source IP Add.Dest. IP Add. Protocol field

Type0 or 8

Code0

Check-sum

ID Seq.Num.

Data FCS


Th h t i t i ll i iti t d i th i d

(MAC) (MAC)



The echo request message is typically initiated using the ping command

Time Exceeded MessageIP Header 0 15 16 31

4-bit Version

4-bit Header Length

8-bit Type Of Service (TOS)

16-bit Total Length (in bytes)

16-bit Identification

3-bit Flags

13-bit Fragment Offset

8 bit Time To Live

TTL

8-bit Protocol

16-bit Header Checksum

32-bit Source IP Address

32-bit Destination IP Address

Options (if any)

Data

Type = 11

ICMP Time Exceeded

A TTL value is defined in each datagram (IP packet).

A h h d i d h TTL l b

As each router processes the datagram, it decreases the TTL value by one.

When the TTL of the datagram value reaches zero, the packet is discarded.



ICMP uses a time exceeded message to notify the source device that the TTL of the datagram has been exceeded.

IP Parameter Problem

ICMP Parameter Problem

Type = 12

Devices that process datagrams may not be able to forward a datagram due to some type of error in the header.

This error does not relate to the state of the destination host or network, but still prevents the datagram from being processed and delivered.p g g p

An ICMP type 12 parameter problem message is sent to the source of the datagram



datagram.

ICMP Control Messages

Unlike error messages, control messages are not the results of lost packets or error conditions which occur during packet transmission.

Instead, they are used to inform hosts of conditions such as:, y

Network congestion.

Existence of a better gateway to a remote network.



ICMP Redirects

Type = 5 Code = 0 to 3

ICMP Redirect

Type = 5 Code = 0 to 3

Default gateways only sends ICMP redirect/change request messages if the following conditions are met:

• The interface on which the packet comes into the router is the same interface on which the packet gets routed out.

• The subnet/network of the source IP address is the same subnet/network of the next-hop IP address of the routed packetsubnet/network of the next hop IP address of the routed packet.

• The datagram is not source-routed.• The route for the redirect is not another ICMP redirect or a default

route.



• The router is configured to send redirects.

Clock Synchronization and Transit Time EstimationTransit Time Estimation

ICMP Timestamp Request

Replaced by

The TCP/IP protocol suite allows systems to connect to one another over vast distances through multiple

Type = 13 or 14

The TCP/IP protocol suite allows systems to connect to one another over vast distances through multiple networks.

Each of these individual networks provides clock synchronization in its own way.

As a result, hosts on different networks who are trying to communicate using software that requires time synchronization can sometimes encounter problems.

The ICMP timestamp message type is designed to help alleviate this problemThe ICMP timestamp message type is designed to help alleviate this problem.

The ICMP timestamp request message allows a host to ask for the current time according to the remote host.



The remote host uses an ICMP timestamp reply message to respond to the request.

Clock Synchronization and Transit Time EstimationTransit Time Estimation

All ICMP timestamp reply messages contain the originate receive and transmit timestampsAll ICMP timestamp reply messages contain the originate, receive, and transmit timestamps.

Using these three timestamps, the host can estimate transit time across the network by subtracting the originate time from the transit time.subtracting the originate time from the transit time.

It is only an estimate however, as true transit time can vary widely based on traffic and congestion on the network.

The host that originated the timestamp request can also estimate the local time on the remote computer.

While ICMP timestamp messages provide a simple way to estimate time on a remote host and total network transit time, this is not the best way to obtain this information.

Instead more robust protocols such as Network Time Protocol (NTP) at the upper layers



Instead, more robust protocols such as Network Time Protocol (NTP) at the upper layers of the TCP/IP protocol stack perform clock synchronization in a more reliable manner.

Information Requests and Reply Message FormatsReply Message Formats

ICMP Information Request/Reply

The ICMP information requests and reply messages

Type = 15 or 16Replaced by

The ICMP information requests and reply messages were originally intended to allow a host to determine its network number.

This particular ICMP message type is considered obsolete.

Other protocols, such as BOOTP and Dynamic Host Configuration Protocol (DHCP), are now used to allow



hosts to obtain their network numbers.

Address Masks

Type = 17 or 18

ICMP Address Mask Request/Reply

This new subnet mask is crucial in identifying network, subnet, and host bits in an IP address.

Type 17 or 18

Replaced by

If a host does not know the subnet mask, it may send an address mask request to the local router.

If the address of the router is known, this request may be sent directly to the router.

Otherwise, the request will be broadcast.

When the router receives the request, it will respond with an address mask reply



an address mask reply.

Router Solicitation and AdvertisementAdvertisement

Type = 10

ICMP Router Solicitation

ICMP Router Advertisement

Type = 9Replaced by

When a host on the network boots, and the host has not been manually configured with a default gateway, it can learn of available routers through the process of router discovery.

p y

y

This process begins with the host sending a router solicitation message to all routers, using the multicast address 224.0.0.2 as the destination address (may also be broadcast).

When a router that supports the discovery process receives the router discovery message, a router



receives the router discovery message, a router advertisement is sent in return.

Summary

hi d l i d d d h i f / kIn this module, we reviewed advanced techniques for TCP/IP packet analysis.

• Comparing OSI and TCP/IP.We have studied the TCP/IP model of networking by:

We have discussed the addressing, subnetting, and windowing of TCP/IP packets.

We have discussed TCP/IP protocols, TCP and UDP port numbers, TCP and UDP operation, sequencing numbers, and ICMP and ICMP control



p , q g ,messages.







ECSAv4 Module 03 TCP IP Packet Analysis_NoRestriction

Documents