Time
10 hours 10 minutes
Difficulty
Intermediate
CEU/CPE
15

Video Description

Sequence in Acknowledgement Numbers in TCP This lesson discusses sequence numbers in TCP. These numbers work together to establish and determine where you're at in a specific conversation and are the thing that make TCP such a powerful communication protocol. Sequence and acknowledgement numbers will increment in a predictable and structured manner throughout a conversation and will change relative to how much traffic is happening and how many packets are being changed. They are important because they are very helpful in error checking.

Video Transcription

00:04
it's a sore sport is going to equal
00:06
TCP header
00:08
zero
00:11
Death sport
00:14
in an equal TCP
00:15
header
00:16
One
00:18
secrets number,
00:20
which is something we need to stop and examine.
00:25
It's gonna be field too. So the sequence in the acknowledgment numbers are really important in TCP, and you really want to know about them?
00:30
Ah, the secrets, like number is the first data octet
00:34
What it actually is?
00:36
Well, in this case, it shows your sin is the number that has an initial sequence number. What the sin of the acknowledgment numbers do together
00:42
is they establish and determine,
00:46
um,
00:47
where you're at in a specific conversation sequence and acknowledge the numbers. We're sort of what make TCP So,
00:53
um,
00:55
powerful is a communication protocol.
00:57
Your secrets and acknowledgement. Embers will increment in a predictable and structured manner throughout a conversation, and they will start in such a way that
01:04
if someone is trying to put traffic into your communication,
01:10
it's not impossible. But it's extremely difficult in most cases if they're just trying to inject from the side.
01:17
The reason for that
01:19
is that your your acknowledge the numbers are going to change. Based on how much data's being sent and based on Pakistan's. And that's everything.
01:26
Which means that your communication is always going to have a relatively unique identification number. They're only 32 bits long, so there are collisions on the Internet.
01:36
Your sequence number is the same as you know, thousands or even millions of sequence numbers for other conversations. But the odds of those conversations, you know, also being aimed at your computer of the same port are practically non existent.
01:48
It also helps you in terms of error, checking and all sorts of other things.
01:51
So secrets and knowledge, the numbers are really, really important. And if we were trying to do something fancy, we would need to know how to mess with them. Luckily, we're not, so we don't. But it is important that you know what they are that they exist.
02:02
Nice meal is gonna be acknowledgement number TCB header.
02:07
It's gonna be three.
02:09
And then we've got the
02:12
scroll back up
02:14
the monstrosity here.
02:15
So I've gotten pretty good at this. Data offset
02:19
equals TCP header
02:22
board
02:23
logically shifted. Right. And we're gonna scroll down here to look at it. So we're dealing with these three fields.
02:30
Yeah, so we're gonna shift it right. Six months for control field and then six bits for reserved,
02:37
which is, of course, going to be a total of 12 bits.
02:39
Then we do Reserved
02:40
equals
02:43
TCP header
02:45
four
02:46
four
02:46
logically sit shifted right,
02:49
six minutes.
02:51
And then and then we're also going to have to almost missed it. There.
02:58
Logically end that
03:00
to get rid of the four bits from the data offset.
03:04
So
03:05
1st 4 bits are empty,
03:07
and then all ones,
03:09
Actually,
03:13
first
03:19
10 bits are empty, and that will be all ones.
03:22
Um,
03:23
so reserved is six bits long, which is really ugly and really annoying.
03:28
So we're gonna wanna break that out in binary. So we've got 16 Mr Work with,
03:34
and we need 10 bits of one. So we do. 1234
03:38
1234 And we're gonna go back here
03:39
and do another two ones. There's 10 bits of one's right there.
03:44
Then we need to fill out the other 16 or the other.
03:46
I'm sorry.
03:52
Yeah, We're gonna need to fill out the rest with zeros.
03:59
There's 16 bits.
04:00
So this 1st 1
04:01
this first octet here is going to be all zeros, so we know that that's going to be zero
04:08
second. Octet, however, is actually 0011
04:12
Instead of being 00 this is gonna have to be 03
04:15
which is a really weird thing to logically and against. But that's the way it is
04:19
for ones and four ones.
04:23
There you go. So the reserve field, we need to move right, six bits, and then we need to logically end it to get rid of the data. Offset.
04:30
Ah,
04:31
reserve field
04:33
must be zero. So in reality, we didn't even have to look at it. We didn't have to care. We're trying to do this, right,
04:43
And then next week to do control bits, which we're gonna call Flags
04:48
going free, TCP
04:49
header
04:51
four.
04:53
And again, we're gonna have to do some weird logic landing.
04:55
So this is the final six bits out of the 16 bits.
05:00
Zero x
05:03
23 4126 bits right there and then 10 bits of zeros.
05:10
So, you know, of course, our first oxide is gonna be zero because we've got four zeros,
05:15
so, you know, that's gonna be zero. We have four more,
05:18
then it's gonna be 0011
05:23
So it's gonna be three.
05:30
And
05:39
so in doing that, we actually may notice that
05:41
we did this in the wrong order. Logically,
05:44
we're gonna change that,
05:47
That we actually do the comparison here before we move it over.
05:51
Uh,
06:00
well, actually, no. We can do it the way we did it. That's totally fine.
06:02
Anyway, So we've got flags
06:04
and we've got a break. Those out now into the urgent AK push reset Sinn fin.
06:10
Uh,
06:11
so these we actually do need to look at and see what they mean. So urge means urgent Pointer Field is significant.
06:16
Urgent Pointer Field. We see
06:18
straight year after our check some.
06:21
Is it actually significant? Is urge ever used?
06:26
Yes. And so the urgent pointer is not actually used in a in pretty much any case, however, you will see the urgent field used surprisingly often,
06:34
the areas in which it's used our during network sniffing when people are not network sniffing, but in a network scanning. When people were trying to analyze your network, they'll send you packets with the urge flag set specifically because they're not supposed to. So they want to see how your machine handles it.
06:48
So if you've got your sniffer running and it's throwing up, Hey, this guy has a bunch of urge, you know, has the urge flag set on a bunch of packets.
06:56
You know, that person is most likely doing something
06:59
you don't necessarily want to be doing.
07:00
So we're gonna do urge equals
07:04
flags
07:05
logically ended against and again. Six minutes
07:15
zero x zero,
07:17
huh?
07:18
Go ahead and do.
07:20
It's only the sixth bit from the right,
07:24
so there's a 10 and then there's four zeros.
07:29
So obviously the last night, the one that one's going to be
07:32
two.
07:34
So that's the urge flag. Next is gonna be the AC flag.
07:41
So where's the act flag
07:43
scroll down here? It says the Acknowledgment field is significant.
07:46
It's not very indicative. What it means is if he acts like it's set. I've received data from you
07:51
and I'm sending back ah, packet that saying, Hey, I got that data again. That's one of those sort of guiding principles of TCP. It's what makes it so reliable.
08:01
So it's going to be the fifth field from the right. So will be 00010
08:07
push
08:09
means I have data for you.
08:18
That's the fourth from the right
08:20
Reset means something has gone wrong in our connection and I need to end it. I need you to restart it.
08:26
Something to that effect that'll be four
08:28
sin is used to create is part of the handshake that starts a connection.
08:35
And Finn
08:39
means, Hey, I'm done with this connection. Let's gracefully exit.
08:43
They're all of our flag set.
08:46
We're not set, depending
08:46
again Ra logically ending it so on. Lee actually get stored
08:50
in the instance that that flag is set.
08:54
So those are done.
08:56
We're done with our horrible flags of doom and move on to our last three fields, which are,
09:01
thankfully, pretty straightforward.
09:03
Window is the size the amount of data that can be sent within TCP header or within it seems to be packet that could be changed. Window size could be used to negotiate, can also be used in sniffing or in scanning
09:16
traffic.
09:18
So window is going to be TCP Header five
09:24
and check some.
09:26
It's a pretty straightforward, pretty sort of weak checks on the TCP uses. It's got some, you know,
09:33
relatively trivial defeats in the world,
09:35
but it's still a check. Some used to make sure that the data is being sent
09:37
properly and that you're getting the data that was sent that sort of thing
09:41
checks on his TCP Header six
09:48
and urge pointer
09:50
again. Not something that's actually used in communication. Um, by pretty much any system in modern days, but something you want to monitor,
09:58
just in case someone's doing something malicious
10:01
so you can go through, we could do a quick logic check.
10:05
It's okay. They're two ages.
10:07
That's a total of four bites. Two eyes. So that's four bites each.
10:11
H one
10:13
one
10:15
tch too. I won
10:16
I to
10:18
I've got four more ages. Each one. It's two. It's three h four
10:22
And there you go. That's an entirety speed header broken down.
10:26
Um,
10:28
bit bit of a slog there, but I think we got through it without too much trouble.
10:33
And we changed data. We say data or return data, and we're not actually gonna return to pull this time because we're done looking at particles TCP utopias highs. We're gonna go.
10:43
Speaking of UDP, the next thing we need to break down and by the way, by all means, feel for deposit this video and take a break at any time. I know this stuff could be kind of hard to get your head around
10:54
the next we're gonna analyze gonna be the UDP header.
10:56
We've already got the condition up to determine what gets sent to the unity header so we don't need to do anything else special in our main function.
11:03
We just need to actually crack open RFC 7 68
11:07
Nice thing about this is the last Cheddar is also the easiest header
11:11
therefore, fields, all of which are two bites UDP is again. It's just kind of screaming data into the void. You hope that are you gets it But maybe they won't. Who really cares?
11:22
We're gonna do a beautifui
11:26
hdr
11:26
struck struck dot Unpack
11:33
data and you see that it's
11:35
42 might fields. So it's just gonna be data up to
11:41
12345678
11:46
It's irritating.
11:48
Almost forgot. This
11:50
makes Mark here in TCP,
11:54
which we're gonna put here through it. But that and we got four h is
12:00
nothing hard here.
12:01
It's our C.
12:03
The party equals
12:07
GDP header one or zero. Rather,
12:11
PSD port equals GDP
12:15
one
12:16
links.
12:18
Ew, dp
12:20
two
12:20
and
12:24
check some
12:26
is three
12:31
easy. Is that And then, of course, data.
12:43
So there you go.
12:43
We're working on our fields out. UDP was really just that quick and easy.
12:48
Uh, so that next thing we need to do is actually print our fields and kind of go through, make this coat a little bit cleaner and easier to read.
12:56
So
12:56
we're gonna start again at the top. We've already printed out Destiny, destination, Mac source, Mac, and then the protocol.
13:03
But we need to make these a little bit easier to read,
13:05
So a Mac address should be,
13:07
uh,
13:09
six bites
13:11
followed by Coghlan's are broken up by Coghlan's there a few different ways we could do it.
13:16
The easiest way to do it in the print statement here,
13:20
perfect to a print statement to say this, the Ethernet her
13:41
I like to put you know something that sort of makes it a little easier to read and breaks things up like that. So, Tab that in destination, Mac
13:50
Oh,
14:03
we're gonna do string, colon,
14:07
string,
14:09
string
14:15
and in three more of those,
14:16
and we're just gonna slice this string up
14:18
nice and neat.
14:22
So it's a little bit easier to read when we print out.
15:05
There is the destination, Mac. The print statement itself is pretty hideous to look at, but
15:09
when it actually gets printed, it will be much, much easier.
15:15
We're gonna do
15:16
source. Mac.
15:26
It's also going to be six fields long,
15:33
and I'll just go ahead and skip ahead. So you have to see all these.
15:37
So there is the destination back to source Mac, and the will make this little prettier as well.
15:54
Critical.
15:56
So we can look at this and see
16:00
anything blows up. No.
16:02
Cool.
16:02
Now it prints out the Mac address is a little bit more cleanly.
16:06
Put a tab in there so it makes a little more sense.
16:15
Remove the tabs anyway.
16:18
It's a little cleaner.
16:27
It actually wants a number, not a stream.
16:33
You can just turn that into a string
16:34
in our
16:37
format. Over here.
16:40
Brush
16:41
traffic. Okay. So cool. We've got a destination back is sore smack in a protocol,
16:45
and we're gonna increase these tabs to align
16:48
just so that I could more easily read
16:56
what I'm writing.
17:06
So we saw if you're paying close attention, you saw that an error came up where you know, checks next proto that doesn't exist. The reason for that is because next proto only gets created when we get an I p
17:18
packet.
17:18
So we need to specify if it's not I p we're not dealing with anything. It is an i p
17:25
just gonna return.
17:26
Okay, now you got that.
17:27
It's okay,
17:29
Mac. Address our Eastern a header is done being printed.
17:33
Now it's time to move on to our I p header.
17:40
Do print
17:56
and skip ahead.
17:57
All right, so I got that copied over for you. There are a couple of
18:02
things that didn't need to get changed while I was doing that.
18:04
Um, first of all in the analyzing their header here, we actually want to shift that right by eight bits so that we could just get rid of the whole hex ify ing thing.
18:12
I just printed out more easily and compare it a little bit more easily.
18:17
And then Oh, here. The NT away needs to be in it anyway,
18:22
so that actually
18:25
resolved properly.
18:26
So we hit at five. We run,
18:32
you see an explosion.
18:33
It's again. Next produce reference before assignment.
18:37
We'll deal with that in just a moment.
18:40
So we see Next product here is 53. That's something weird that we didn't handle.
18:45
Okay, we'll deal with that in a second.
18:47
But
18:48
if he had his printing out, getting some
18:51
data, some interesting data, maybe, but some data.
18:56
Let's have a quick look see, Shall we?
18:57
Makes it make sure that we're getting the data. We think we're getting
19:07
so here. We're taking up to 14 bits of 14 bytes of data returning that
19:14
that's working out just fine.
19:22
So we're running into is actually a pretty simple one. It's simply the if statement we had here. We just had to if statements we didn't deal with the weird other cases when we got some sort of protocol we didn't expect
19:33
The solution is just doing If Elif else that, of course else being next proto equals other
19:41
just in case
19:42
and then down here,
19:44
if teaching you go TCP if you'd be good to you to pee else just return.
19:48
We're getting our I. P header is printing and we can see that it's printing
19:53
from the terminal
19:56
and you see getting some weird data again. But that's fine.
20:00
Refresh we see. Yep. Everything looks properly structured. Everything's good to go.
20:06
Cool.
20:10
So next thing we need to deal with this, obviously logically, is TCP and UDP headers gotta print those out.
20:22
So
20:25
could positively again. Instead, I just want to head into easier way, which is to
20:30
for a 2nd 1 this one's a little bit neater and cleaner. Anyway,
20:33
this packet this the packet analyzer. This will be included in the documents you can download.
20:37
All this is is the same code we just wrote. Just sort of cleaned up like they do on a chef show,
20:44
you know? And luckily have had one in the oven for four hours anyway,
20:48
so we go through and we go to the TCP header. We're gonna print out all of these C I did a bull to make sure there are to see if they're ultra false Utopia header. Except from those four out.
20:59
And
21:02
and this is what our finished product looks like.
21:12
There you go.
21:14
Obviously,
21:15
if you would like to read it to a file, you can do so that way. It looks a little bit prettier and easier to read.
21:22
Have you want to do it? is up to you.
21:23
But
21:25
with that done, that actually will complete this
21:27
kind of a bear of a lesson slash activity
21:30
if you stuck with it to the end. And if you made the correction seer code, you did all the pretty cleaning up,
21:37
then congratulations. You was successfully written a raw socket python network traffic analyzer.
21:44
There aren't that many people who have done that,
21:47
so you should be proud. It's not a seesaw. It's not the easiest of challenges, and it requires really
21:52
helped you to gain. I hope a really in depth knowledge of networking works
21:57
as I mentioned before. This is useful in all sorts of ways for security professionals,
22:02
but you're going to find the best uses yourself when you implement it
22:06
in the field. When you make use of it in the field.
22:07
With that, that's the end. This video. That's all I've got for you,
22:11
please, by all means. If you haven't already done, those videos come back into the advanced Python. Videos were discussed buzzing and other like C types and other various aspects of advanced python.
22:22
If you have any questions on this or any of my other videos of course you can contact me on my site or on my page on the site. Sorry. Got I t.
22:30
His name is Perry.
22:32
I'll be happy to answer any questions you've got
22:34
until next time, get out there and break something.

Up Next

Python for Security Professionals

This is the archived version of our new Python course! If you would like to view our newly updated course, scroll to the bottom, and click the link.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc
Instructor