it's a sore sport is going to equal
which is something we need to stop and examine.
It's gonna be field too. So the sequence in the acknowledgment numbers are really important in TCP, and you really want to know about them?
Ah, the secrets, like number is the first data octet
What it actually is?
Well, in this case, it shows your sin is the number that has an initial sequence number. What the sin of the acknowledgment numbers do together
is they establish and determine,
where you're at in a specific conversation sequence and acknowledge the numbers. We're sort of what make TCP So,
powerful is a communication protocol.
Your secrets and acknowledgement. Embers will increment in a predictable and structured manner throughout a conversation, and they will start in such a way that
if someone is trying to put traffic into your communication,
it's not impossible. But it's extremely difficult in most cases if they're just trying to inject from the side.
is that your your acknowledge the numbers are going to change. Based on how much data's being sent and based on Pakistan's. And that's everything.
Which means that your communication is always going to have a relatively unique identification number. They're only 32 bits long, so there are collisions on the Internet.
Your sequence number is the same as you know, thousands or even millions of sequence numbers for other conversations. But the odds of those conversations, you know, also being aimed at your computer of the same port are practically non existent.
It also helps you in terms of error, checking and all sorts of other things.
So secrets and knowledge, the numbers are really, really important. And if we were trying to do something fancy, we would need to know how to mess with them. Luckily, we're not, so we don't. But it is important that you know what they are that they exist.
Nice meal is gonna be acknowledgement number TCB header.
It's gonna be three.
And then we've got the
the monstrosity here.
So I've gotten pretty good at this. Data offset
logically shifted. Right. And we're gonna scroll down here to look at it. So we're dealing with these three fields.
Yeah, so we're gonna shift it right. Six months for control field and then six bits for reserved,
which is, of course, going to be a total of 12 bits.
logically sit shifted right,
And then and then we're also going to have to almost missed it. There.
to get rid of the four bits from the data offset.
1st 4 bits are empty,
10 bits are empty, and that will be all ones.
so reserved is six bits long, which is really ugly and really annoying.
So we're gonna wanna break that out in binary. So we've got 16 Mr Work with,
and we need 10 bits of one. So we do. 1234
1234 And we're gonna go back here
and do another two ones. There's 10 bits of one's right there.
Then we need to fill out the other 16 or the other.
Yeah, We're gonna need to fill out the rest with zeros.
this first octet here is going to be all zeros, so we know that that's going to be zero
second. Octet, however, is actually 0011
Instead of being 00 this is gonna have to be 03
which is a really weird thing to logically and against. But that's the way it is
for ones and four ones.
There you go. So the reserve field, we need to move right, six bits, and then we need to logically end it to get rid of the data. Offset.
must be zero. So in reality, we didn't even have to look at it. We didn't have to care. We're trying to do this, right,
And then next week to do control bits, which we're gonna call Flags
And again, we're gonna have to do some weird logic landing.
So this is the final six bits out of the 16 bits.
23 4126 bits right there and then 10 bits of zeros.
So, you know, of course, our first oxide is gonna be zero because we've got four zeros,
so, you know, that's gonna be zero. We have four more,
then it's gonna be 0011
So it's gonna be three.
so in doing that, we actually may notice that
we did this in the wrong order. Logically,
we're gonna change that,
That we actually do the comparison here before we move it over.
well, actually, no. We can do it the way we did it. That's totally fine.
Anyway, So we've got flags
and we've got a break. Those out now into the urgent AK push reset Sinn fin.
so these we actually do need to look at and see what they mean. So urge means urgent Pointer Field is significant.
Urgent Pointer Field. We see
straight year after our check some.
Is it actually significant? Is urge ever used?
Yes. And so the urgent pointer is not actually used in a in pretty much any case, however, you will see the urgent field used surprisingly often,
the areas in which it's used our during network sniffing when people are not network sniffing, but in a network scanning. When people were trying to analyze your network, they'll send you packets with the urge flag set specifically because they're not supposed to. So they want to see how your machine handles it.
So if you've got your sniffer running and it's throwing up, Hey, this guy has a bunch of urge, you know, has the urge flag set on a bunch of packets.
You know, that person is most likely doing something
you don't necessarily want to be doing.
So we're gonna do urge equals
logically ended against and again. Six minutes
It's only the sixth bit from the right,
so there's a 10 and then there's four zeros.
So obviously the last night, the one that one's going to be
So that's the urge flag. Next is gonna be the AC flag.
So where's the act flag
scroll down here? It says the Acknowledgment field is significant.
It's not very indicative. What it means is if he acts like it's set. I've received data from you
and I'm sending back ah, packet that saying, Hey, I got that data again. That's one of those sort of guiding principles of TCP. It's what makes it so reliable.
So it's going to be the fifth field from the right. So will be 00010
means I have data for you.
That's the fourth from the right
Reset means something has gone wrong in our connection and I need to end it. I need you to restart it.
Something to that effect that'll be four
sin is used to create is part of the handshake that starts a connection.
means, Hey, I'm done with this connection. Let's gracefully exit.
They're all of our flag set.
We're not set, depending
again Ra logically ending it so on. Lee actually get stored
in the instance that that flag is set.
We're done with our horrible flags of doom and move on to our last three fields, which are,
thankfully, pretty straightforward.
Window is the size the amount of data that can be sent within TCP header or within it seems to be packet that could be changed. Window size could be used to negotiate, can also be used in sniffing or in scanning
So window is going to be TCP Header five
It's a pretty straightforward, pretty sort of weak checks on the TCP uses. It's got some, you know,
relatively trivial defeats in the world,
but it's still a check. Some used to make sure that the data is being sent
properly and that you're getting the data that was sent that sort of thing
checks on his TCP Header six
again. Not something that's actually used in communication. Um, by pretty much any system in modern days, but something you want to monitor,
just in case someone's doing something malicious
so you can go through, we could do a quick logic check.
It's okay. They're two ages.
That's a total of four bites. Two eyes. So that's four bites each.
I've got four more ages. Each one. It's two. It's three h four
And there you go. That's an entirety speed header broken down.
bit bit of a slog there, but I think we got through it without too much trouble.
And we changed data. We say data or return data, and we're not actually gonna return to pull this time because we're done looking at particles TCP utopias highs. We're gonna go.
Speaking of UDP, the next thing we need to break down and by the way, by all means, feel for deposit this video and take a break at any time. I know this stuff could be kind of hard to get your head around
the next we're gonna analyze gonna be the UDP header.
We've already got the condition up to determine what gets sent to the unity header so we don't need to do anything else special in our main function.
We just need to actually crack open RFC 7 68
Nice thing about this is the last Cheddar is also the easiest header
therefore, fields, all of which are two bites UDP is again. It's just kind of screaming data into the void. You hope that are you gets it But maybe they won't. Who really cares?
We're gonna do a beautifui
struck struck dot Unpack
data and you see that it's
42 might fields. So it's just gonna be data up to
makes Mark here in TCP,
which we're gonna put here through it. But that and we got four h is
GDP header one or zero. Rather,
easy. Is that And then, of course, data.
We're working on our fields out. UDP was really just that quick and easy.
Uh, so that next thing we need to do is actually print our fields and kind of go through, make this coat a little bit cleaner and easier to read.
we're gonna start again at the top. We've already printed out Destiny, destination, Mac source, Mac, and then the protocol.
But we need to make these a little bit easier to read,
So a Mac address should be,
followed by Coghlan's are broken up by Coghlan's there a few different ways we could do it.
The easiest way to do it in the print statement here,
perfect to a print statement to say this, the Ethernet her
I like to put you know something that sort of makes it a little easier to read and breaks things up like that. So, Tab that in destination, Mac
we're gonna do string, colon,
and in three more of those,
and we're just gonna slice this string up
So it's a little bit easier to read when we print out.
There is the destination, Mac. The print statement itself is pretty hideous to look at, but
when it actually gets printed, it will be much, much easier.
It's also going to be six fields long,
and I'll just go ahead and skip ahead. So you have to see all these.
So there is the destination back to source Mac, and the will make this little prettier as well.
So we can look at this and see
anything blows up. No.
Now it prints out the Mac address is a little bit more cleanly.
Put a tab in there so it makes a little more sense.
Remove the tabs anyway.
It's a little cleaner.
It actually wants a number, not a stream.
You can just turn that into a string
traffic. Okay. So cool. We've got a destination back is sore smack in a protocol,
and we're gonna increase these tabs to align
just so that I could more easily read
So we saw if you're paying close attention, you saw that an error came up where you know, checks next proto that doesn't exist. The reason for that is because next proto only gets created when we get an I p
So we need to specify if it's not I p we're not dealing with anything. It is an i p
Okay, now you got that.
Mac. Address our Eastern a header is done being printed.
Now it's time to move on to our I p header.
All right, so I got that copied over for you. There are a couple of
things that didn't need to get changed while I was doing that.
Um, first of all in the analyzing their header here, we actually want to shift that right by eight bits so that we could just get rid of the whole hex ify ing thing.
I just printed out more easily and compare it a little bit more easily.
And then Oh, here. The NT away needs to be in it anyway,
So we hit at five. We run,
you see an explosion.
It's again. Next produce reference before assignment.
We'll deal with that in just a moment.
So we see Next product here is 53. That's something weird that we didn't handle.
Okay, we'll deal with that in a second.
if he had his printing out, getting some
data, some interesting data, maybe, but some data.
Let's have a quick look see, Shall we?
Makes it make sure that we're getting the data. We think we're getting
so here. We're taking up to 14 bits of 14 bytes of data returning that
that's working out just fine.
So we're running into is actually a pretty simple one. It's simply the if statement we had here. We just had to if statements we didn't deal with the weird other cases when we got some sort of protocol we didn't expect
The solution is just doing If Elif else that, of course else being next proto equals other
if teaching you go TCP if you'd be good to you to pee else just return.
We're getting our I. P header is printing and we can see that it's printing
and you see getting some weird data again. But that's fine.
Refresh we see. Yep. Everything looks properly structured. Everything's good to go.
So next thing we need to deal with this, obviously logically, is TCP and UDP headers gotta print those out.
could positively again. Instead, I just want to head into easier way, which is to
for a 2nd 1 this one's a little bit neater and cleaner. Anyway,
this packet this the packet analyzer. This will be included in the documents you can download.
All this is is the same code we just wrote. Just sort of cleaned up like they do on a chef show,
you know? And luckily have had one in the oven for four hours anyway,
so we go through and we go to the TCP header. We're gonna print out all of these C I did a bull to make sure there are to see if they're ultra false Utopia header. Except from those four out.
and this is what our finished product looks like.
if you would like to read it to a file, you can do so that way. It looks a little bit prettier and easier to read.
Have you want to do it? is up to you.
with that done, that actually will complete this
kind of a bear of a lesson slash activity
if you stuck with it to the end. And if you made the correction seer code, you did all the pretty cleaning up,
then congratulations. You was successfully written a raw socket python network traffic analyzer.
There aren't that many people who have done that,
so you should be proud. It's not a seesaw. It's not the easiest of challenges, and it requires really
helped you to gain. I hope a really in depth knowledge of networking works
as I mentioned before. This is useful in all sorts of ways for security professionals,
but you're going to find the best uses yourself when you implement it
in the field. When you make use of it in the field.
With that, that's the end. This video. That's all I've got for you,
please, by all means. If you haven't already done, those videos come back into the advanced Python. Videos were discussed buzzing and other like C types and other various aspects of advanced python.
If you have any questions on this or any of my other videos of course you can contact me on my site or on my page on the site. Sorry. Got I t.
I'll be happy to answer any questions you've got
until next time, get out there and break something.