Professional Documents
Culture Documents
PacketReading PDF
PacketReading PDF
"
$ %
'
(
)
"
+
+ ,
$
,
$*
&
.
)
/ ,
0
# /
0 1 0
23
41 5
64
21 5
64
31 5
: 23
41 75
641 5
641 5
641 5
:9
8 #
9
3
$
* $
;1
:
>
45
45
<
45
45
<
45
4
$
5
#, ) $ ?
@$
$ $
#
:
#
#
#1
#
$
/
$
1
0 ,
$
$
&
)
/
* $
+
$
$
$1
4
)
/
)
/;
B!
6)
/;
") +
+
5
B4
"
E
'
C
$
$
$
$
+
.
D*
/
E
*
$
$
F,
,
$
# B@
C
+*
$
C$*
, $
$
4$
$ 5
GH +
H
) H
F,
,
D E
) .
@
?
?
0,
$ *
0
3>
$ $
$ $*4
*
*
5
?$
)
C
7 3 7= 7<>773 " = 3
7 I E E$ <
"
/!
8 0 22 2=0 8 0
3<
*
;1
)
@
7 > 2 =>73= " =
"
/!
8 0 <3
1
<2
2<
1
< = 2 3> >
1
2$
2
>
1 7
< 2 3 = >
1 <
< 2 3 = >
1 2 7<72
";
"
/! ;
3
7 I8 E E$ <
30 8 0
3<
<
<
37
>7
9
2 > 9<9
9
$
7
9
$
7
9
$7 7 7 77
B ?$
)
$
*
3>
F
)
"
*
'
0
0
$
<
6<
3>
$ //
"
E
"
";
Version
2
3
4
5
6
7
Byte Offset 0
IP hdr length (4(4-bit)
bit)
10 11 12 13
Byte Offset 1
14
15
16
17
18 19 20 21
Byte Offset 2
Byte Offset 4
22
23
24
25
Byte Offset 6
Protocol (8-bit)
Byte Offset 12
Byte Offset 13
31
30
31
Byte Offset 7
DF MF
Byte Offset 10
20 Bytes
Byte Offset 9
30
Byte Offset 5
Byte Offset 8
26 27 28 29
Byte Offset 3
Byte Offset 11
Byte Offset 15
Byte Offset 17
Byte Offset 18
Byte Offset 19
Byte Offset 21
Byte Offset 22
Byte Offset 23
10
11
12
13
14
15
16
17
18
19
20
21
22
4-bit
bit IP Header length multiply by 4 to convert to bytes
16-bit IP datagram total length
bit Fragment offset length multiply by 8 to convert to bytes
13-bit
23
24
25
26
27
28
29
?
Byte 0
Version 4, IHL 5
0x0000:
0x0010:
0x0020:
0x0030:
0x0040:
0x0050:
"
45
Byte 1
ToS 0
4500
00 00f4 4a99 0000 8011 f2b8 ac10 d202
ac10 d283 0035 aaf4 00e0 7d0c 7a6a 8180
0001 0001 0004 0004 0331 3034 0331 3631
0332 3333 0236 3407 696e 2d61 6464 7204
6172 7061 0000 0c00 01c0 0c00 0c00 0100
0000
";
0x0000:
0x0010:
0x0020:
0x0030:
0x0040:
0x0050:
4500
00 00f4 4a99 0000 8011 f2b8 ac10 d202
ac10 d283 0035 aaf4 00e0 7d0c 7a6a 8180
0001 0001 0004 0004 0331 3034 0331 3631
0332 3333 0236 3407 696e 2d61 6464 7204
6172 7061 0000 0c00 01c0 0c00 0c00 0100
0000
"@
0x0000: 4700 0030 7276 0000 4006 74c9 7f00 0001
0x0010: 7f00 0001 8907 087f 0000 0200 091d 0000
0x0020: 0052 ea5d 1176 204e 5000 0200 8a51 0000
IP Header Length = 7 or 7 32-bit
32
words
7*4 bytes = 28 bytes in length
Type:8bits = 0x89 = 137 decimal
Length:8bits = 07 bytes
Pointer:8bits = 08
Route data: variable = 127.0.0.2
Note: Strict source route - RFC 791
?
Bytes 2,3
Total Length: 244 bytes
0x0000:
0x0010:
0x0020:
0x0030:
0x0040:
0x0050:
"
45
Bytes 4,5
Identification
Bytes 6,7
Flags, Frags offset
"?
"
Bytes 8
TTL: 128
0x0000:
0x0010:
0x0020:
0x0030:
0x0040:
0x0050:
4
75
Byte 9 Embedded
Protocol 11 (UDP)
?
Bytes 16,17,18,19
Dest. Address
0x0000:
0x0010:
0x0020:
0x0030:
0x0040:
0x0050:
"
4
<5
Bytes 10,11
Checksum
Bytes 12,13,14,15
Source Address
)
/;
TCP Header (RFC 793)
0
Byte Offset 0
10
11
12
13
14
15
16
17
Byte Offset 1
18
19
21
22
23
24
25
Byte Offset 2
20
26
27
28
29
30
31
30
31
Byte Offset 3
Byte Offset 5
Byte Offset 6
Byte Offset 7
Byte Offset 10
Byte Offset 11
20 Bytes
Byte Offset 8
SYN
RST
PSH
Byte Offset 16
ACK
(4-
Byte Offset 13
URG
Reserved
bit)
ECE
CWR
Byte Offset 12
Byte Offset 17
Byte Offset 18
Checksum (16-bit)
Byte Offset 20
Byte Offset 15
Byte Offset 19
Urgent Pointer (16-bit)
Byte Offset 21
Byte Offset 22
Byte Offset 23
data (variable.)
0
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
)
/
Bytes 0,1
Src. Port 1061
Bytes 2,3
Dest. Port 0
0x0000:
0x0010:
0x0020:
0x0030:
0x0040:
0x0050:
45
Bytes 4,5,6,7 Seq.
Number 1502625840
4500
00 0088 ee14 0000 4006
400 8e59 7f00 0001
7f00 0001 0425 0000 5990 8dd1 4030 b112
5018 0200 dbb0 0000 536f 6d65 2072 616e
646f 6d20 6461 7461 0a00 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000
)
/;
0x0000:
0x0010:
0x0020:
0x0030:
0x0040:
0x0050:
4500
00 0088 ee14 0000 4006
400 8e59 7f00 0001
7f00 0001 0425 0000 5990 8dd1 4030 b112
5000
000 0200 dbb0 0000 536f 6d65 2072 616e
646f 6d20 6461 7461 0a00 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000
)
/
0x0000:
0x0010:
0x0020:
0x0030:
0x0040:
0x0050:
45
Ack. Number
1076932882
4500
00 0088 ee14 0000 4006
400 8e59 7f00 0001
7f00 0001 0425 0000 5990 8dd1 4030 b112
5018 0200 dbb0 0000 536f 6d65 2072 616e
646f 6d20 6461 7461 0a00 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 Window
Size
)
/;
0x0000:
0x0010:
0x0020:
0x0030:
0x0040:
0x0050:
?
Offset 16, length 2
bytes Checksum
0x0000:
0x0010:
0x0020:
0x0030:
0x0040:
0x0050:
)
/
Offset 18, length 2
bytes, Urgent Pointer
4
75
Offset 20, length 96
bytes Data
4500
00 0088 ee14 0000 4006
400 8e59 7f00 0001
7f00 0001 0425 0000 5990 8dd1 4030 b112
5018 0200 dbb0 0000 536f 6d65 2072 616e
646f 6d20 6461 7461 0a00 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000
@$
$
Length (bits)
Field
TCPDUMP Filter
Notes
IP Header Length
ip[0] &0x0F
IP Packet Length
IP TTL
IP Protocol
16
8
8
Hex
0x01
0x02
0x06
32
32
flag=3
ip[2:2]
ip[8]
ip[9]
Proto
ICMP
IGMP
TCP
ip[12:4]
ip[16:4]
D
1
2
6
IP Address - Src
IP Address - Dst
IP Fragmentation
D
9
17
47
Hex
0x09
0x11
0x2F
Proto
IGRP
UDP
GRE
D
47
50
51
Hex
0x2F
0x32
0x33
offset=13
ICMP Type
ICMP Code
TCP Src Port
TCP Dst Port
8
8
16
16
icmp[0]
icmp[1]
tcp[0:2]
tcp[2:2]
tcp[12] &0x0F
TCP Flags
TCP Windows Size
UDP Src Port
UDP Dst Port
8
16
16
16
tcp[13]
tcp[14:2]
udp[0:2]
udp[2:2]
16
udp[4:2]
Proto
GRE
ESP
AH
)
/ ?F! $
Two different formats to specify filters:
1. Byte displacement
<protocol header> [offset:length] <relation> <value>
ip[9] = 6 embedded protocol is TCP
tcp[2:2] = 80 destination port is 80
udp[6:2] != 0 udp checksum not zero
Icmp[0] = 8 echo packet
2. <macro> <value>
dst host www.msn.com
port != ssh
ether src MAC
net 10.10.10.0/24
)
/ ?F! $
+
)
0$
C
/DC
!
#
'
H
G
)*
!
$
4
.
%?&
&
&
5
!
&
(
$
G
!% +
;*
$ /
&
*
4
E
5
0
'
"
+ /
'
H
7
D
/
)*
(
$
E
$
$ *
!% ,
$ 7
&
$
'
+ /
'
H
1
D
/
)*
(
$
E1
1
$ *
!% ,
$
1
*
&
$
'J
1
+ /
'
H
(
$
L$
$
$
J
1
D
8
$
)*
)*
!% ,
F B
*
$
$
!%
&
! .
G
$
$
$
*
$ 2
+ /
'
H
(
$
L$
$
$
D
8
F B
#
)*
;*
G
*
*
!% +
$
)
/
$
+
$
&
'
77>9
+ /
'
H
/(
?
1
1
1
1 7
+
+
$ *
<2
<>
7 7=29 <
3> 2 $ 2
3 $ $
23> =7=
"#
$
)
)
+
'/
'
< 3 3$
2>
><9 3
< 2 < <
7 7 3
>7
>
$@C
,
'+
$,
'