next topic for discussion is the Ethernet header.
So this Ethernet header is something I've pulled from a p shark or boasts which something will be looking at a little bit later on. But this is going to be useful because it's gonna let us look at what sort of data is contained inside of an Ethernet header.
And it's also going to let us know what sort of things we can do with that information. So we see that it uses Ethernet version to which pretty much everything you're gonna be using Will
the source Mac, which is
we see automatically gets broken out into being where
that this already knows that it's using the M where which again is useful.
when you see the M wear in the wild, when you're you've just exploited a machine, you just broken in. You see that your Mac addresses a BM. Wear it back, which will be either 000 c 29 or 005056
Either one of those air pretty well known to be owned by the M. Where
now, if you see that,
that means you've probably broken into something. That's not what you think. It iss. Unless you knew you were going after of'em. You knew it was a virtualized server or what have you? Probably in bad shape.
So you're going to want to look into Well, why is it Of'em and I had a honey nut? Um, I have I've been captured by a researcher. What's going on?
And if either of those were the case, you're gonna want to get out of there.
we see here again is the same thing just broken out.
Your address, your destination address. Rather,
has the LG bit not set. So it's a global, unique address
or it's a non globally unique address
because the LGBT LG bit is not set.
We see that it's not an individual address because the idea but is not set.
We see the source address. The place where everything has come
from is also VM, where, as I mentioned a moment ago, we see that it's also
non unique. Now, the reason why that matters is pretty straightforward.
It's a V m and V M where basically just gives a randomly assigns,
uh, Mac address to all of its BMS. But
if you see things like this in the wild, if you look in and you see oh, well, this bit's not center that it's not set.
The actual breakdown of these headers can actually tell you what's going on.
Knowing that can give you information can tell you how they've configured their network, what sort of data they're using, or even just whether or not they've got a good tech guy.
The next ends very important thing that each header is going to tell us
is a type field of some sort.
That time is actually the next type.
So in this case, it's going to be 0800 and hex what the Xerox means, which is I p specifically,
we don't actually know what version it iss. We only know that it is
So to find that out,
we go into the next one
and we see it breaks out to I p before
now, we're not actually looking at the raw hex in this because well, one, that's not what you're here for. Two raw eggs work my eyes and three, it's really, really, really boring.
So we see the source machine is 1 to 8.
We see it's 192168129.1 to 8. Specifically
see its destination is
The I P version is four,
and the header length is 20 bites. That's fairly consistently. The case across I p. Most I p headers are going to be 20 bites. It is possible to have options in place that will extend to that, but it's very, very rare.
Differentiated Service's field doesn't really matter to us.
identification number. The I P identification number right here. 8 68
and we've got one flag, which is the don't fragment bit. That's the only flag currently set.
Well, they don't fragment bit. Means is, don't break this. Pack it up.
If it gets to a point where the Maxim transmission unit says Sorry, I can't take a packet that big. Send me an error and I'll send you a smaller version. But don't break this. Pack it up.
protocol is TCP which is again our next protocol.
We have a header check some although the actual system we're not using we didn't actually enable validation.
But we do know that it took a check, some of the header and if we wanted to, we can validate. Make sure the header hasn't been changed in route.
that's pretty much everything that we need out of the i p Header.
And from there we can go on to. In this case, we're going to go into a C P to a TCP header
which we see right here. TCP, as we said before, is the transmission control protocol.
In this case, it's coming from Port 44 to 77 which again we saw was the 1 to 8 machine
is going to port 4 43
which we know to be https and which is hopefully
were informed of that here, which is very nice of this one of this tea shark.
Um it tells us Hey, it's using https port. That doesn't necessarily mean is using entity to be yes, but it's a fairly strong indicator that it iss
so we know that it's coming from a random high on this right here is called Random High
to a well known port.
So most likely the 1 to 8 is a client and is going out to a website
on the 31.13 etcetera etcetera machine,
and it's looking at something there.
is 25 37 the acknowledgment numbers 19 4 59
These two are very important. Their relative in this case they're not. That's not the entire full number, but it's relative to the start.
So if we know that the relative sequence number is 25 37 we know this communication has been going on for a little while.
Um, if the acknowledgment number,
the acknowledgment number, can give us a vague idea of how much data has been sent, the specifics of how acknowledgement in sequence work
aren't important. But what matters is that if it's a big number in the acknowledgment field, you know that a good bit of date has been set. If it's a big number of this relative sequence field, you know that a lot of packets have been set.
So the header length right here
it breaks out and says, Hey, your TCP headers, 20 bites.
That's not really important to us right now, but it could be in the future.
The flags that are set, however, are extremely important.
DCP flags are very, very indicated, indicative of a lot of things.
The reserve. These 1st 3 should never be set if they are set, someone is spoofing packets. Someone is doing bad things on the network. The nonce should also not ever be set.
The congestion when the reduced
could theoretically be set but in reality is only ever really sent during an ex messed scan, which is something we'll look at a little bit later.
E c n again experts only
urgent is something that was designed with the intent of a quality of service being built into TCP. But it never quite happened, so it's sort of just there. It's another one they should only ever that you'll only ever see in an excellent scan, which means
it's not something you should see for normal use,
the ones that you will see from normal use higher and those ones I will indicate in blue
which says, Hey, I got some sort of data from you or some sort of communication from you
I've got more data for you. Add it to the data I've already sent you
which says you've done something very, very, terribly wrong and I'm going to kill this connection, and we can try again in a minute
which is only ever used to initiate a conversation.
It's the first packet they get sent. You get a sin sin ack ack. It's called the three way Handshake. Sinise, sent as a synchronized, says, Hey, let's synchronize sequence numbers and let's start working together to create a communication.
And then Finn, which is part of the graceful tear it out.
Ah, Finn, Tear down looks like Finn, Finn, AC, fit and finish
Ah, which is designed with the simple intent of
making sure that the turnaround happens in the right way. Everyone's done with sending data. Everything looks good and is good to go.
Window size value you see here is 65 1 60
which could be useful in OS fingerprinting
and the check some again. We've disabled validation, but if we wanted to make sure that a packet was sent correctly,
that's where we would check
next header and final header that we're going to look at Here is the UDP header. Now A quick reminder from before you TV is much, much simpler and much less reliable. It's not designed to ensure the traffic gets word traffic should go
So in the user Data Grand Protocol, the UDP header. We don't have very many fields. We have a sore sport.
Right here is 17 500
and we have a destination port which here is 17 500
Now, I don't know about you, but I don't know that part Off the top of my head, we here we see here that it's d v l s b d I S c
Probably some sort of discovery port. We don't really care that much.
We might care in a minute, but right now we don't It's worth a Google,
by all means. If you find a port with which you're unfamiliar being used always looking up, I recommend whenever you're doing some sort of task. Whenever you're working in a network, have a separate machine disconnected from that hour with which to google things with which to look up. What, you're unfamiliar whatever you might need. Don have a second machine or, at the very least, a smartphone like everyone seems to carry. Now,
beyond that, there's the length of this packet is 122 bites
again. The unity check some
which we don't validate.
And that's really it. All you TV does is say, Hey, here's where it's from. Here's where it's going here, Ma, Here's how much there is of it. And here's a check some that may or may not be correct.
And then it just throws that data
at whoever the sort Whoever the destination is
with that, we've pretty much completed our discussion of headers and therefore a discussion of basic networking concepts.
After this, we're going to be building into gathering information and I will see you then,
thank you very much and enjoy your day