Div0 Blog Editor
Understanding & Reading Packets
Reading packets can be invaluable to security professionals. Especially when trying to understand how NIDS/NIPS or other packet filtering devices work.
I've found this useful in analysing attack packet dumps from NIDS/NIPS.
Before we proceed, a little refresher on what makes up the TCP/IP protocol stack:
A concept of encapsulation allows a degree of modularity between "lower" level protocols (e.g. Ethernet) and "higher" level protocols (e.g. IP, TCP and even application-level protocols such as DNS).
Protocols are encapsulated as "data" when they move down the protocol stack and are de-encapsulated when moving up the protocol stack. An example is shown below.
As the DNS datagram gets passed down the stack, it is encapsulated into a UDP datagram, followed by an IP packet, followed by an Ethernet frame. When a receiving host receives the frame, the link layer will de-encapsulate or strip the headers and pass on the datagram to the higher-level protocol.
A closer representation of an IP packet would as follows
Image Source: Institute for Applied Computational Science, Harvard University
Sample Packet 1
The sample packet above is represented in hexadecimal.
At this point, having a cheat sheet such as the one from SANS would help us in deciphering the IP packet.
The 1st byte, at offset 0 in the packet is represented by the value 0x45. From the header above, we can see that the higher-order nibble (0x4) represents the IP version, which is IPv4.
The lower order nibble (0x5) represents the length of the IP header, in total number of 32-bit (4-byte) words. In other words, the total length of the IP header is 5*4 = 20 bytes. Skipping ahead, at the protocol byte (offset 9), it shows that this packet has an ICMP packet encapsulated.
Using the TCP/IP Cheatsheet, you should be able to decipher the sample packet and determine that this is an IPv4 Packet, with ICMP as an encapsulated protocol. Specifically, this ICMP packet is an echo request, from IP address 127.0.0.1 (hint: 0x7f000001 is hex for 127.0.0.1). The TTL for this IP packet is 64 (0x40 at offset 8).
The ability to read packets will come easier once you have tried to read a few types of packets. I have included some screenshots below.
Sample Packet 2
Sample Packet 3
Sample Packet 4
Sample Packet 5
Shared by Mike Loh.