Intrusion Analyst Packet Header Chart
IP and TCP
Copyright © Guy Bruneau, 2000-2001. All rights reserved.
|
4
|
5
|
82
|
002c
|
|
4-bit version
|
4-bit header length
|
8-bit type of service (TOS)
|
16-bit total length (in bytes)
|
|
7620
|
4000 (DF) or 2000 (MF)
|
|
16-bit identification
|
3-bit flags
|
13-bit fragment offset
|
|
80
|
06
|
c6cb
|
|
8-bit time to live (TTL)
|
8-bit protocol
|
16-bit header checksum
|
|
c0a8 1e0c
|
|
32-bit source IP address
|
|
c0a8 1e01
|
|
32-bit destination IP address
|
|
Options (if any)
|
|
040e
|
0017
|
|
16-bit source port number
|
16-bit destination port number
|
|
0000 e875
|
|
32-bit sequence number
|
|
0000 0000
|
|
32-bit acknowledgment number
|
|
6
|
002
|
2000
|
|
4-bit header length
|
reserved (6 bits)
|
U
|
A
|
P
|
R
|
S
|
F
|
16-bit window size
|
|
ce2d
|
0000
|
|
16-bit TCP checksum
|
16-urgent pointer
|
|
Options (if any)
|
|
0204 05b4
|
|
Start of Data (if any)
|
|
TCPDump trace (20 bites IP header [without options] + 24 bites TCP header)
20:50:42.096190 Rover.1038 > Seeker.telnet: S 59509:59509(0) win 8192 <mss 1460> (DF) [tos 0x82]
4582 002c 7620 4000 8006 c6cb c0a8 1e0c
c0a8 1e01040e 0017 0000 e875 0000 0000
6002 2000 ce2d 0000 0204 05b4 05b4
8-PROTOCOL NUMBERS
In the Internet Protocol version 4 (IPv4) [RFC791] there is a field, called "Protocol", to identify the next level protocol. This is an 8 bit field. In Internet
Protocol version 6 (IPv6) [RFC1883] this field is called the "Next Header" field. These protocols are bite 1 of the IP field; 8-bit type of service (TOS).
Assigned Internet Protocol Numbers
Decimal Keyword Protocol HEX
1 ICMP Internet Control Message 0x01
2 IGMP Internet Group Management 0x02
6 TCP Transmission Control 0x06
17 UDP User Datagram 0x11
41 IPv6 Ipv6 0x29
43 IPv6-Route Routing Header for IPv6 0x2b
44 IPv6-Frag Fragment Header for IPv6 0x2c
50 ESP Encap Security Payload for IPv6 0x32
51 AH Authentication Header for IPv6 0x33
88 EIGRP EIGRP 0x58
89 OSPFIGP OSPFIGP 0x59
Normal TCP Flag combination
- SYN, SYN ACK, and ACK are used during the three-way handshake which establishes a TCP connection.
- Except for the initial SYN packet, every packet in a connection must have the ACK bit set.
- FIN ACK and ACK are used during the graceful teardown of an existing connection.
- RST ACK can be used to immediately terminate an existing connection.
- Packets during the "conversation" portion of the connection (after the three-way handshake but before the teardown or termination) contain just an ACK by default.
- Optionally, they may also contain PSH and/or URG.
Abnormal TCP Flag combination
- SYN FIN is probably the best known illegal combination. Remember that SYN is used to start a connection, while FIN is
used to end an existing connection. It is nonsensical to perform both actions at the same time. Many scanning tools use SYN
FIN packets, because many intrusion detection systems did not catch these in the past, although most do so now. You can safely assume that any SYN FIN packets you see are malicious.
- SYN FIN PSH, SYN FIN RST, SYN FIN RST PSH, and other variants on SYN FIN also exist. These packets may be
used by attackers who are aware that intrusion detection systems may be looking for packets with just the SYN and FIN bits set, not additional bits set. Again, these are clearly malicious.
- Packets should never contain just a FIN flag. FIN packets are frequently used for port scans, network mapping and other stealth activities.
- Some packets have absolutely no flags set at all; these are referred to as "null" packets. It is illegal to have a packet with no flags set.
