mercredi 21 avril 2010

basics 2 - tutorial analysis of 2,3,4 layers

In this article, we illustrate the exchanges on the layers 2,3,4 in a practical example: ethernet, IP, TCP, UDP.
French version available on the site.

watch traffic with TCPDUMP

In our lab,, on Windows client, in a term:
C:\clientXP > ping -n 1
(one echo request is sent to server)

intrus $ sudo tcpdump
We can observe the IP packets between client WXP and server: echo request.

intrus $ tcpdump icmp and src
( listen to ICMP requests from client XP)

the traffic is filtered:
- source = client XP
- protocol ICMP
Intrus $ sudo tcpdump icmp[0]=8
(only echo requests)

analysis of Ethernet header

C:\clientxp > arp -d
C:\clientxp > ping -n 1

intrus $ sudo tcpdump -x icmp or arp
( show ICMP or ARP requests inhexadecimal format.)

In the first ARP request, we can see that the MAC destination field is 00:00:00:00:00:00. It is normal because the aim of this request is to ask for the MAC address associated with IP

recall Ethernet frame

In bytes
01234567891011121314 … 15131514151515161517
MAC destination addressMAC source addressType of protocolDataFCS/CRC

Caution, there are different Ethernet frames with other features. For example, the type of protocol field can be filled with these values:
0x0800 : IPv4
0x86DD : IPv6
0x0806 : ARP
C:\clientXP > ipconfig /all

serveur $ ifconfig

analysis of TCP/IP header

C:\clientXP > telnet -l utilisteur
intrus $ sudo tcpdump -x src

the encapsulated protocol is TCP ( = 6)

the source and destination addresses are:
c0.a8.00.0a (
c0.a8.00.02 (

the source and destination ports are:
413 (1043d)
17 (23d = telnet)
C:\clientXP > telnet -l utilisteur
intrus $ sudo tcpdump -x src or src

the TCP flag of the client's request is 02 (SYN):
0 = 0000
ECN = 00
URG = 0
ACK = 0

2 = 0010:
PSH = 0
RST = 0
SYN = 1
FIN = 0

the TCP flag of the response is 14 (ACK - RST)

1 = 0001
ECN = 00
URG = 0
ACK = 1

4 = 0100:
PSH = 0
RST = 1
SYN = 0
FIN = 0

reminders IP packets

(reference [5])

In bytes

IP versionheader length (32 bits words)Type of servicetotal length (bytes)
Identification (for fragments)Flags (for fragments)Fragment offset
TTL Time To LiveProtocolheader control checksum
source address
destination address

recall ARP packet:

(reference: [3])
The next array shows different fields for classical ARP message (protocole TCP/IPv4).

protocol typehardware address sizeprotocol address size Operationsource hardware addresssource protocol addressdestination hardware addressdestination protocol address
2 bytes2 bytes1 byte1 byte2 bytes6 bytes4 bytes6 bytes4 bytes

hardware type: for ethernet, 0x0001
protocol type: for example IPv4
hardware address size : for ethernet, 6 (because ethernet addresses are 6 bytes long)
protocol address size (logical) :
For IPv4, logical address are 4 bytes long
For IPV6, logical addresses are 6 bytes long
Operation :
request (0000.....0001)
response (0000.....0010)

recall TCP segment

(reference [4]
In bits
Source port 2 octets destination port 2 octets
Sequence number
Numéro d'acquittement
header sizereservedECNURGACKPSHRSTSYNFINwindow
checksumurgent data pointer

Signification of these fields :
Source port 
Destination port
sequence number : Sequence number of the first byte of the segment
Numéro d'acquittement : sequence number of next byte attended
header size : header length in words 32 bits long ( options are part of header)
Reserved : Reserved for a future usage
ECN : congestion, cf RFC 3168
URG : URGent data
ACK : packet is ACKnowledgement
PSH : data must be immediatly sent again (PuSH)
RST : anormal break of connexion (ReSeT)
SYN : ask for SYNchronisation or connexion
FIN : ask for END of connexion
Window : size of window asked. Means number of bytes destination wants to receive before asking for a reception acknowledgement.
Checksum : checksum calculated with the whole TCP header and datas, and a pseudo header (calculated with IP header)
Urgent datas pointer : relative position of urgent datas
Remplissage : Zeros added to align next field with 32 bits word.

analysis of UDP header

Traceroute uses the UDP protocol. Let's use it on localhost interface

prerequisites: install traceroute:
intrus $ sudo apt-get install traceroute
1st terminal:
intrus $ tcpdump -x -i lo
2nd terminal:
intrus $ sudo traceroute -i lo localhost

source port is: 61168 (0xc7e0)
destination port is: 33434 (0x829a)
Source gives the port it uses, so that destination can send back

recall UDP datagram

(reference [6])
The UDP datagram header is much more simple than TCP:

Source port (16 bits)Destination port (16 bits)
Length (16 bits)Checksum (16 bits)

analysis of FTP protocol

(Reference [7])

Prerequisites: install FTP server on server
serveur $ sudo apt-get install proftpd
show configuration file:
serveur $ cat /etc/proftp/proftp.conf | less
default configuration is enough bere.

Other prerequisites: installation of FTP FileZilla on client XP
Other prerequisite: installation of Wireshark on intrus:
intrus $ sudo apt-get install wireshark
start Wireshark (must be sudo):
intrus $ sudo wireshark

description of a trame:

FTP datas are then encapsulated in a TCP segment, which is encapsulated in IP packet.

follow TCP stream:

pseudo and password are sent in clear text. We must use another protocol, like ftps.


3) la norme IEE802.3 et les protocoles ARP et ETHERNET -
4) Wikipedia – Transmision Control Protocol -
5) Wikipedia – Ipv4 -
6) Wikipedia – UDP -
7) Ubuntu proftpd -

Aucun commentaire:

Enregistrer un commentaire