in this section will talk about some basic packet analysis as it as it relates to networks. Nothing.
The first port of call we go talk about is TCP on a TCP packet header is structured in a very specific way.
The 1st 2 bites a teeth of the TCP packet header is the source port of where this particular packet is coming from
the next two bites or the destination port.
And then the next four bites or the sequence number followed by the acknowledgment number on those numbers are important in TCP communications because those help set the sessions sequence in the session Acknowledgment.
then the next set, the next uh, four bets is the offset
the teeth. Now, the TCP offset typically has, um,
those 20 bites. However, it could have as much as 24 bites, depending on the options set for TCP. So this section
down here, the TCP options that is completely optional
on. So the offset helps define how big that particular field is, so that the rest of the pack it can be decoded properly.
The next section is the reserve section on that is completely reserved for future use and is most typically set to zero
on. And then you have the TCP flags or the next day, eight bits.
I'm the teeth the various bits of the TCP flags are to find here. So if a particular flag if a particular packet had both the sequence and the acknowledgment flag set, then the flag value would be one, too.
ah particular packet had say reset and sequence set and it would have the
the flag hex value would be 06
After the flags, we have the window side window sides, which is two bites wide, followed by the check some and the urgent pointer
and then the TCP options. Now this is thes packet. Headers are important to know because it helps decode what kind of network traffic is coming in across the wire.
No, the network packets are transmitted in binary in that hexi decimal format. So without decoding that Hexi decimal back into a format that makes more sense, Thio humanize. It makes it hard. So
we have to know how the packets are structured and how these packet headers air structured.
You know how to decode that network traffic so that we know what we're looking at
similar to TCP and that it's a connection protocol. But it is a connection list protocol, so we don't have any of the sequence numbers or acknowledgement numbers. All of those TCP flags
don't have any of that. We just have the source and destination port
as well as the length and the check. Son
I P B four has its own packet Hatter and all these packet headers get combined to make essentially one giant header before the actual data of the packet. So whenever a packet is being sent across the wire, it will go down the OS I protocol stack. We'll have the I. P
packet Header added. Will have the TCP or UDP packet headed,
Heather added, And then we may have an additional packet header such as ICMP or ARC. Or maybe it's D. N s. Or maybe it's another protocol such as SSL. All of those have structured formats. Thio tell machines on each end of the communication line.
What kind of pack? It It is
so for i p before it starts off by saying the version number
for a P B for that version will be set before
For I p v six. It'll be set the ***
on but also has a header length because again, we have this I p options field. So I p options is completely optional. So that header length will define how many options there are.
Then we have a type of service field as well as total length.
other important fields here are timeto live. So this is going to be your hop value. How many hops can a packet go before that packet is killed by a network infrastructure device such as a router or a switch?
Um, and I pee before will also determine what protocol is being used for a particular packet.
So if its I p v four as well as TCP,
the TCP code will be used in that particle field,
and these numbers are in decimal.
So these air decibel numbers that protocol field is going to be in hexi decimal when you actually look at a packet coming across the wire,
the source and destination address here are the I. P address source and destination,
and then we have the I P options. As I was saying,
a P V six is a little bit simpler,
still has that version number because that version is the first thing that is going to look at to determine which type of pack it. It has to decode,
And then to account for the longer source, the longer addresses an I P V six the fields for source and destination address or much, much larger. But many of the fields are cut because if we look at I p v six
versus I pee before, we don't have ah,
some of the fields in i p b six that we did in my pee before
the next port of call. We were talking about art.
AARP is the protocol that we used to translate between the hardware address and the i P address. So between that 192168 address and that Hexi decimal address that comes hard coded into every single network device. So we have a hardware type field. We have a protocol type field.
and then this sender hardware address. This is going to be the sender, uh, mac address. And it does take up more than one line here. So we have two bites here
and then another four bites here as the sender hardware address.
And then the center protocol address is going to be that I p address.
So we'll have four bites worth of the I p address on then another six by its worth of the target hardware address. So that's going to be the target. Mac, address a CZ. Well, as the last four bites here are going to be the target protocol address.
Now, the hardware type has a specific A code volume. Most frequently, you will see. Ah, that value being one, because it's going to be an Ethernet type. Ah, hard work height. But there are other values there.
If we look back on our hard on our packet header slide here,
this is going to be our op code.
And that defines what type of our packet this actually is as a request. Is that a reply? Is that reverse? Our request is a reverse our reply and so on.
And then we also have protocol type
most frequently. This is going to be I pee before, but as, uh,
as network infrastructures are updated to use I p v six, this value will also change.