To analyze a network traffic you should understand before the behaviour of the traffic, how a connection is stablished, which packages are traveling through the network, kind of routing…. For that reason, you should know about:
OSI model (MANDATORY!!!). This is the framework of comunications. If you don’t understand this model…. 😦
Routing protocols. Depending of your necessity but protocols as RIP, EIGRP, OSPF, BGP, MPLS are used a lot.
Common ports ( DNS, HTTP,Telnet, FTP…..)
Subnetting. Have in mind the concepts and all kind of classes. There are a lot of subnet calculators that can help us but you should know how it works.
Today I will explain a TCP packet.
TCP is a transport layer protocol used by applications that require guaranteed delivery.
|MAC header||IP header||TCP header||Data|
Source Port. 16 bits.
Destination Port. 16 bits.
Sequence Number. 32 bits.
The sequence number of the first data byte in this segment. If the SYN bit is set, the sequence number is the initial sequence number and the first data byte is initial sequence number + 1.
Acknowledgment Number. 32 bits.
If the ACK bit is set, this field contains the value of the next sequence number the sender of the segment is expecting to receive. Once a connection is established this is always sent.
Data Offset. 4 bits.
The number of 32-bit words in the TCP header. This indicates where the data begins. The length of the TCP header is always a multiple of 32 bits.
reserved. 3 bits.
Must be cleared to zero.
ECN, Explicit Congestion Notification. 3 bits.
Added in RFC 3168.
00 01 02 <N C E
N, NS, Nonce Sum. 1 bit.
Added in RFC 3540. This is an optional field added to ECN intended to protect against accidental or malicious concealment of marked packets from the TCP sender.
C, CWR. 1 bit.
E, ECE, ECN-Echo. 1 bit.
Control Bits. 6 bits.
00 01 02 03 04 05 U A P R S F
U, URG. 1 bit.
Urgent pointer valid flag.
A, ACK. 1 bit.
Acknowledgment number valid flag.
P, PSH. 1 bit.
R, RST. 1 bit.
Reset connection flag.
S, SYN. 1 bit.
Synchronize sequence numbers flag.
F, FIN. 1 bit.
End of data flag.
Window. 16 bits, unsigned.
The number of data bytes beginning with the one indicated in the acknowledgment field which the sender of this segment is willing to accept.
Checksum. 16 bits.
This is computed as the 16-bit one’s complement of the one’s complement sum of a pseudo header of information from the IP header, the TCP header, and the data, padded as needed with zero bytes at the end to make a multiple of two bytes. The pseudo header contains the following fields:
|Source IP address|
|Destination IP address|
|0||IP Protocol||Total length|
Urgent Pointer. 16 bits, unsigned.
If the URG bit is set, this field points to the sequence number of the last byte in a sequence of urgent data.
Options. 0 to 40 bytes.
Options occupy space at the end of the TCP header. All options are included in the checksum. An option may begin on any byte boundary. The TCP header must be padded with zeros to make the header length a multiple of 32 bits.
|0||1||End of option list.||RFC 793|
|1||1||No operation.||RFC 793|
|2||4||MSS, Maximum Segment Size.||RFC 793|
|3||3||WSOPT, Window scale factor.||RFC 1323|
|4||2||SACK permitted.||RFC 2018|
|5||Variable.||SACK.||RFC 2018, RFC 2883|
|6||6||Echo. (obsolete).||RFC 1072|
|7||6||Echo reply. (obsolete).||RFC 1072|
|8||10||TSOPT, Timestamp.||RFC 1323|
|9||2||Partial Order Connection permitted.||RFC 1693|
|10||3||Partial Order service profile.||RFC 1693|
|11||6||CC, Connection Count.||RFC 1644|
|14||3||Alternate checksum request.||RFC 1146|
|15||Variable.||Alternate checksum data.||RFC 1146|
|18||3||Trailer Checksum Option.|
|19||18||MD5 signature.||RFC 2385|
|21||Selective Negative Acknowledgements.|
|26||TCP Compression Filter.|
|27||8||Quick-Start Response.||RFC 4782|
|28||4||User Timeout.||RFC 5482|
|29||TCP-AO, TCP Authentication Option.|
|253||RFC3692-style Experiment 1.||RFC 4727|
|254||RFC3692-style Experiment 2.||RFC 4727|
Data. Variable length.
TCP State machine:
|CLOSE-WAIT||Waits for a connection termination request from the remote host.|
|CLOSED||Represents no connection state at all.|
|CLOSING||Waits for a connection termination request acknowledgment from the remote host.|
|ESTABLISHED||Represents an open connection, data received can be delivered to the user. The normal state for the data transfer phase of the connection.|
|FIN-WAIT-1||Waits for a connection termination request from the remote host or an acknowledgment of the connection termination request previously sent.|
|FIN-WAIT-2||Waits for a connection termination request from the remote host.|
|LAST-ACK||Waits for an acknowledgment of the connection termination request previously sent to the remote host (which includes an acknowledgment of its connection termination request).|
|LISTEN||Waits for a connection request from any remote TCP and port.|
|SYN-RECEIVED||Waits for a confirming connection request acknowledgment after having both received and sent a connection request.|
|SYN-SENT||Waits for a matching connection request after having sent a connection request.|
|TIME-WAIT||Waits for enough time to pass to be sure the remote host received the acknowledgment of its connection termination request.|