OSI Protocol Stack, PCAP Analysis I

The OSI Model

The OSI model, which is the industry standard, defines the fundamental layers of network communication implementation by computer operating systems.

Hosts (nodes)

Host (or node) is a generic term referring to a computing device connected to a network. Examples of hosts are: laptops, servers, smart phones, and video game consoles.

7 Layers

Physical: Bits on wires.
Link: The link layer is responsible for transmission of data frames between two nodes connected by a physical medium. That said, this layer provides node-to-node data transfer -- a link between two directly connected nodes.
Network: The network layer provides the functional and procedural means of transferring packets from one node (host) to another node. Here, the two nodes don't need to be directly connected.
Transport: The protocols of this layer provide host-to-host communication services such as multiplexing (i.e., with different port numbers), connection-oriented communication, reliability, and flow control.
Session: Common functions of the this layer include user logon (establishment), name lookup (management), and user logoff (termination) functions.
Presentation: The presentation layer is responsible for transforming application data, such as encryption/decryption and date format conversions, prior to packaging.
Application: The application layer handles all of the application data. A programmer may interface with the next layer down by using the networking API.

Link Layer Protocols

Network interface card

A host with one network interface card (NIC) is identifiable on the Internet by one unique IP address. A host's IP address is determined by the network to which it is connected. The same host could be connected to the network at a local coffee shop and then, later, be connected to a home network. Between the two locations, that host was identified by two different IP addresses. Think of an IP address like a home address. It is based on location.

MAC address

An address not based on location is a physical address, or MAC address. A host's MAC address is permanently assigned to its NIC during manufacture. Unlike an IP address, MAC addresses do not change when a host moves to a different network. Think of a MAC address like a SSN. It is permanently assigned to a person at birth and never changes.

Ethernet and WiFi dominate the way hosts connect to networks now, so new computers typically have both an Ethernet adapter and a WiFi adapter. Each interface has its own unique MAC addresses and it is possible for each interface to have its own unique IP address as well. Each interface can connect to a different network and, therefore, possess different IP addresses.

Ethernet: IEEE Standard 802.3

At the link layer of the OSI stack, IEEE standard 802.3 specifies communication over Ethernet links.

Each device on the network has a unique Media Access Control (MAC) address, which is used to direct Ethernet packets.

An Ethernet packet consists of a 1 byte preamble followed by the Ethernet header, encapsulated data, and checksum. The last three items are collectively referred to as an Ethernet frame.

Ethernet Frame Format

 0                   1                   2                   3   
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|[               Destination MAC Address (6 bytes)              |
+                               +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                              ]|[                              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               +
|                Source MAC Address (6 bytes)                  ]|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|     Type/Length of Data       |[                              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               +
|              Client Data + padding (46-1500 bytes)            |
|                        ....                                  ]|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    CRC Checksum (4 bytes)                     |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

PCAP Format

PCAP files contain packet data of a network and are used to analyze the network characteristics. We can use hexdump to see the raw binary data of a PCAP files.

Download udp.pcap.tar.
Untar the file:
```
tar -xvf udp.pcap.tar
```
You will see a file udp.pcap
You can use Wireshark to inspect the packets in the file.

A PCAP file has the following format:

The global header is 24 bytes. We won't really care much about what's in the global header. If you're curious, check out the documentation.

$ hexdump -C udp.pcap

00000000  d4 c3 b2 a1 02 00 04 00  00 00 00 00 00 00 00 00  |................|
00000010  00 00 04 00 01 00 00 00  ac 25 30 61 25 b9 03 00  |.........%0a%...|
00000020  33 00 00 00 33 00 00 00  08 00 27 f3 5c ca 08 00  |3...3.....'.\...|
00000030  27 b3 0c 54 08 00 45 00  00 25 47 c0 40 00 40 11  |'..T..E..%G.@.@.|
00000040  19 ac c0 a8 ac 04 c0 a8  ac 06 8d f8 1e c6 00 11  |................|
00000050  d9 7e 75 64 70 20 74 65  73 74 0a af 25 30 61 ec  |.~udp test..%0a.|
00000060  02 09 00 3c 00 00 00 3c  00 00 00 08 00 27 b3 0c  |...<...<.....'..|
00000070  54 08 00 27 f3 5c ca 08  00 45 00 00 22 55 bf 40  |T..'.\...E.."U.@|
00000080  00 40 11 0b b0 c0 a8 ac  06 c0 a8 ac 04 1e c6 8d  |.@..............|
00000090  f8 00 0e 1c d2 77 6f 72  6b 73 0a 00 00 00 00 00  |.....works......|
000000a0  00 00 00 00 00 00 00                              |.......|

Skipping the global header

Therefore, the rest of the data contains the two packets (see below).

                                   ac 25 30 61 25 b9 03 00  |.........%0a%...|
00000020  33 00 00 00 33 00 00 00  08 00 27 f3 5c ca 08 00  |3...3.....'.\...|
00000030  27 b3 0c 54 08 00 45 00  00 25 47 c0 40 00 40 11  |'..T..E..%G.@.@.|
00000040  19 ac c0 a8 ac 04 c0 a8  ac 06 8d f8 1e c6 00 11  |................|
00000050  d9 7e 75 64 70 20 74 65  73 74 0a af 25 30 61 ec  |.~udp test..%0a.|
00000060  02 09 00 3c 00 00 00 3c  00 00 00 08 00 27 b3 0c  |...<...<.....'..|
00000070  54 08 00 27 f3 5c ca 08  00 45 00 00 22 55 bf 40  |T..'.\...E.."U.@|
00000080  00 40 11 0b b0 c0 a8 ac  06 c0 a8 ac 04 1e c6 8d  |.@..............|
00000090  f8 00 0e 1c d2 77 6f 72  6b 73 0a 00 00 00 00 00  |.....works......|
000000a0  00 00 00 00 00 00 00

Packet header

The following is the packet header format. Each line contains 32 bits (i.e., 4 bytes). As shown below, a packet header consists of 4 lines, which means 16 bytes in total.

    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0  |                      Timestamp (Seconds)                      |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
4  |           Timestamp (Microseconds or nanoseconds)             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
8  |                   Captured Packet Length                      |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
12 |                   Original Packet Length                      |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

The first two lines show the time when the packet was captured in seconds and microseconds.
The third and fourth lines show the length of the packet. You see they are identical.

So, what is 33 00 00 00?

This is encoded in the little endian format. So, the number is really 0x00000033 = 0x33.
Note that 0x33 is 16*3 + 3 = 48 + 3 = 51
So, the 51 bytes right after the header is the actual packet data (data with gray background in the above figure).

Actual First Packet

So, below is the actual first packet (the first gray area):

08 00 27 f3 5c ca 08 00  
27 b3 0c 54 08 00 45 00 
00 25 47 c0 40 00 40 11 
19 ac c0 a8 ac 04 c0 a8  
ac 06 8d f8 1e c6 00 11 
d9 7e 75 64 70 20 74 65  
73 74 0a

Analyzing Ethernet frame

Ethernet frame format is shown below:

 0                   1                   2                   3   
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|[               Destination MAC Address (6 bytes)              |
+                               +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                              ]|[                              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               +
|                Source MAC Address (6 bytes)                  ]|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|     Type/Length of Data       |[                              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               +
|              Client Data + padding (46-1500 bytes)            |
|                        ....                                  ]|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    CRC Checksum (4 bytes)                     |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

The packet data is re-arranged according to the Ethernet frame format:

08 00 27 f3 5c ca               Destination MAC
08 00 27 b3 0c 54               Source MAC
08 00                           Type
45 00 00 25 47 c0 40 00         Client Data 
40 11 19 ac c0 a8 ac 04 
c0 a8 ac 06 8d f8 1e c6 
00 11 d9 7e 75 64 70 20 
74 65 73 74 0a

Type "08 00" means that the client data is an IP packet.
Check that the destination/source MAC is indeed what Wireshark shows.