OSI 7 Layers and PCAP Analysis II

Link Layer Protocols

Ethernet: IEEE Standard 802.3

At the link layer of the OSI stack, IEEE standard 802.3 specifies communication over Ethernet links.

Each device on the network has a unique Media Access Control (MAC) address, which is used to direct Ethernet packets.

An Ethernet packet consists of a 1 byte preamble followed by the Ethernet header, encapsulated data, and checksum. The last three items are collectively referred to as an Ethernet frame.

Popular types are as follows:

0x0800	Internet Protocol version 4 (IPv4)
0x0806	Address Resolution Protocol (ARP)

Ethernet Frame Format

 0                   1                   2                   3   
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|[               Destination MAC Address (6 bytes)              |
+                               +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                              ]|[                              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               +
|                Source MAC Address (6 bytes)                  ]|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|     Type/Length of Data       |[                              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               +
|              Client Data + padding (46-1500 bytes)            |
|                        ....                                  ]|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    CRC Checksum (4 bytes)                     |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Address Resolution Protocol (ARP)

ARP is used to resolve the physical address of the host with a known Internet address (RFC 826). The ARP packet format allows for its use over any type of hardware (e.g. Ethernet or Token Ring) and any protocol (e.g. IP or BGP).

ARP request and ARP reply.
1. When a host needs to communicate with another host at a known IP address, it broadcasts an ARP request.
2. Each host on the network checks if the ARP message is intended for it. If so, then an ARP reply is sent to the originator. If not, then the ARP message is ignored.
A gratuitous ARP message is a message where the sender and target addresses are the same. The purpose of this message is to update other hosts on the network of an address change (e.g. system startup or reboot).

ARP Message Format

 0                   1                   2                   3   
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|         Hardware Type         |         Protocol Type         |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| HW Add Length | Prtcl Add Len |            Opcode             |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|[                     Sender Hardware Address                  |
+                               +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                              ]|[ Sender Protocol Address      |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  Sender Protocol Address     ]|[                              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               +
|[                     Target Hardware Address                 ]|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|[                     Target Protocol Address                 ]|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Network Layer Protocol: Internet Protocol Version 4 (IPv4)

IPv4 implements Internet addressing and fragmentation (RFC 791). The IP header contains important data such as source and destination addresses, protocol type, and time to live.

IHL: It stands for the internet header length, which refers to the length of the header in line. If there are no Options in the header, IHL should be 5.
Total Length: It refers the total length of the entire IP packet (i.e., header + payload) in bytes.
Famous Protocol numbers used in the "Protocol" field in the header
```
1       ICMP   
6       TCP
17      UDP
```

Internet Datagram Header

 0                   1                   2                   3   
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version|  IHL  |Type of Service|          Total Length         |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|         Identification        |R D M|      Fragment Offset    |
|                               |S F F|                         |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  Time to Live |    Protocol   |         Header Checksum       |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                       Source Address                          |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Destination Address                        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Options                    |    Padding    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

IP address

A network consists of two or more computing devices and a certain form of electronic media (e.g. copper wire, radio frequency) through which the computers are able to communicate.

Each device on the network is uniquely identifiable by a 32-bit number, called an IP address. IP addresses are commonly represented in a dotted-quad format, where each byte of the address is converted to decimal and separated by a dot. Example:

00000001 00000010 00000011 00000100₂ = 1.2.3.4 in dotted-quad format

Network address

The IP addresses of each device on the same network are related to the specific network they share. If one were to compare the binary representation of all IP addresses on one network, one would see that several sequential bits in each address are identical. Those common bits define the unique identitier for the network , or network address.

Subnet mask

The network address is determined by bitwise ANDing the network's subnet mask with any one of the IP addresses on that network. Any subnet mask has the following form:

111...11000..00

To view your IP address and subnet mask, use ifconfig for Linux or ipconfig for Windows.

Try it out below to see your host's network address by entering your IP address and subnet mask.


  
    
      
        IP Address:
        
          →
        
        
      
      
        Subnet Mask:
        
          →
        
        
      
      
        Network Address:
        ←

Network prefix and CIDR form

The prefix bits common to all IP addresses on a network are highlighted on the network address above.

The network prefix is defined as the number of bits in common, which correlate to the number of 1's in the subnet mask.
The network prefix is commonly appended to the end of a network address in lieu of providing a subnet mask. This is called a CIDR (Classless Inter-Domain Routing) notation.
For example, the CIDR IP address 131.122.88.0/22 refers to the network address 131.122.88.0 with a subnet mask 255.255.252.0.

Unique IP addresses in a given network

The bits not common to any of the IP addresses on a network are what makes each IP address unique. To calculate the total number of unique addresses for a given network, take the number 0's in the subnet mask and raise 2 to that power. The result gives the total possible number of IP addresses for a network, but not all of those IP addresses may be used by hosts.

The network address cannot be used by any host.
The broadcast address cannot be used by any host either. The broadcast address is used to send a packet to every host on the network and its address is network address followed by all 1's.

Example:

The network 131.122.88.0/22 has a total of 2¹⁰ unique IP addresses.
Its network address is 131.122.88.0.
Its broadcast address is 131.122.91.255.
The total number of usable addresses is 2¹⁰-2, or 1022.

Network Layer Protocol: Internet Control Message Protocol (ICMP)

ICMP provides error messaging for the Internet protocol. It is a necessary protocol for IP to function because it provides feedback of communication problems (RFC 792 / RFC 2463).

Some of the different types of ICMP messages are as follows:

Echo Request
Echo Reply
Destination Host Unreachable
Time Exceeded

ICMP messages include part of the original IP packet which invoked the error message as its message body.

ICMP header format

 0                   1                   2                   3   
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|     Type      |     Code      |          Checksum             |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                                                               |
+                         Message Body                          +
|                                                               |

Transport Layler Protocols

User Datagram Protocol (UDP)

UDP provides connectionless communication, making no guarantee of data delivery (RFC 768).

Multiplexing: UDP uses ports to allow multiple connections from a single host. The source port field is optional, since no reply is necessary for UDP transmissions.
Connectionless and ligtweight: UDP is an extremely lightweight protocol and makes an ideal choice when it is acceptable for data to be dropped during routing (e.g. streaming video or audio).

UDP Header Format

 0                   1                   2                   3   
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|          Source Port          |       Destination Port        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|            Length             |           Checksum            |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Transmission control protocol (TCP)

TCP is a transport-layer protocol on the OSI stack.

Multiplexing: As with UDP, the source and destination ports are used to support multiple connections within the hosts.
Connection-orientied protocol: TCP is a connection oriented protocol (RFC 793). It provides guaranteed data delivery between hosts utilizing a three-way handshake to initiate communication and maintain a persistent connection.
Guaranteed delivery: The order of information is also tracked so that the recipient can properly reassemble the data using the sequence number and acknowledgement number. The checksum is a method used to detect errors in TCP packets.

TCP header format

 0                   1                   2                   3   
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|          Source Port          |       Destination Port        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                        Sequence Number                        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Acknowledgment Number                      |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  Data |           |U|A|P|R|S|F|                               |
| Offset| Reserved  |R|C|S|S|Y|I|            Window             |
|       |           |G|K|H|T|N|N|                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|           Checksum            |         Urgent Pointer        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Options                    |    Padding    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

The control flags are used as follows:

URG (Urgent Pointer field significant), ACK (Acknowledge field significant), PSH (Push), RST (Reset the connection), SYN (Synchronize sequence numbers), FIN (Finish the connection)

Activity: Packet Analysis

Below left is shown the bytes of an Ethernet frame. Fill out the blank fields on the right.

00| 52 54 00 12 35 00 08 00
08| 27 f3 5c ca 08 00 45 00
16| 00 22 0d 0d 40 00 40 11
24| d5 65 c0 a8 ac 06 c0 a8
32| 2b 01 94 a4 09 29 00 0e
40| 58 78 68 61 70 70 79 0a

- Use the hex notation for MAC adddress.

- Use the decimal (base 10) notation for all the other numbers.

dst MAC addr     =

src MAC addr     =

type             = IPv4

version          = 4

ihl              =

IP packet length =
(in total)

protocol         =          (choose from TCP/UDP/ICMP)

src IP           = ___ . ___ . ___ . ___

dst IP           = ___ . ___ . ___ . ___

src port         =

dst port         =

msg              = b"                       "
(in English)

The answer is given in answer.txt.

Activity: Using Wireshark

This exercise is intended to familiarize you with analyzing some common network protocols through the use of the network monitoring tool, Wireshark. See the setup page for setting up Wireshark.

Start the Wireshark.
1. Start Wireshark by entering in the terminal:
```
wireshark &
```
2. Choose the loop-back interface as shown below. We don't usually capture the loop-back interface (i.e., traffic inside the localhost) but the Ethernet interface. However, this activity is set up so that every traffic flows inside the localhost. This way, you won't be bothered by the other network traffics.
3. Choose in the menu on top: Capture → Options.
  - In the option window, uncheck the three boxes under Name Resolution.
  - Click the Start button.
Generate and analyze ICMP packets.

In the terminal, execute the following commands:
```
ping -c 1 localhost 
```
On Wireshark, click on a packet to view its details. On the bottom pane, you should see the hexadecimal representation of the actual bytes in the packet. The middle pane interprets the bytes from the packet as header fields and each header can be expanded to see more details about its fields.
Look at each header field and make sure you understand what each one means. If you do not know, ask or look it up.

Generate and analyze UDP over IP packets

In the terminal, execute the following:
```
nslookup www.google.com 127.0.0.1
```
On Wireshark, click on the DNS request UDP packet and expand the IP and UDP headers to view the packet structure. Note that Wireshark also interprets/decodes some application data, such as DNS.
Look at each header field and make sure you understand what each one means. If you do not know, ask or look it up.
You will get an error ICMP packet. This is because the local host doesn't run the DNS server.

Generate and analyze TCP over IP packets

In the terminal, execute the following:
```
nc -lnv 8000
```
Now, in a separate terminal execute the following:
```
nc localhost 8000
```
Once executed, you may now type stuff and hit enter to send that data to the netcat listener. Type something and hit enter (you should see it pop up on the other terminal).
On Wireshark, click on the TCP packet and expand the IP and TCP headers to view the packet structure. You should notice that once one of the TCP packets is highlighted, Wireshark highlights several others. Wireshark highlights all of the TCP packets associated with the TCP session from start to finish.
- If you right-click on one of the TCP packets and choose Conversation Filter → TCP, Wireshark will show only TCP packets from that session. You can remove the filter by clicking on Clear near the filter input box.
- Additionally, if you right-click on one of the TCP packets and choose Follow → TCP Stream, Wireshark will attempt to rebuild all of the data from each packet and display it.
Look at each header field and make sure you understand what each one means. If you do not know, ask or Google to look it up.