1. Packet Analysis with Wireshark
ARP, IP, TCP, UDP, ICMP
Kyu Hyun Choi

2. Wireshark?
Free and open-source network packet analyzer for Unix, Linux, Windows, OSX, BSD, Solaris and so on

3. What can we do with Wireshark
Network troubleshooting, analysis
Software and communications protocol development
Education
Hacking !

4. Getting Started
Download and install wireshark

5. Select Device

6. Start live capture Captured Network Packet list
Analyzed information about the packet
Packet
Raw data

7. ARP Address Resolution Protocol
Telecommunication protocol used for resolution of network layer addresses into link layer addresses
Convert IP address to a physical address (such as MAC address)

8. ARP – Packet structure
The length of the address fields is determined by the corresponding address length fields

9. ARP – Packet structure Hardware type (HTYPE) Protocol type (PTYPE)
Specifies the network protocol type. e.g. Ethernet = 1
Protocol type (PTYPE)
Specifies the internet protocol for which the ARP request is intended. For IPv4, this has the value 0x0800
Hardware address length (HLEN)
Length of a hardware address. Ethernet addresses size is 6.
Protocol address length (PLEN)
Length of addresses used in the upper layer protocol (Specified in PTYPE). IPv4 address size is 4.

10. ARP – Packet structure Operation code Sender hardware address (SHA)
Specifies the operation that the sender is performing.
1 for request, 2 for reply
Sender hardware address (SHA)
ARP Request → Indicate the address of the host sending the request
ARP reply → Indicate the address of the host that the request was looking for
Sender protocol address (SPA)
Internetwork address of the sender
Target hardware address (THA)
ARP Request → Ignored
ARP Reply → Indicate the address of the host that originated the ARP request
Target protocol address (TPA)
Internetwork address of the intended receiver

11. IP Internet Protocol Unique global address for a network interface
An IP address:
is a 32 bit long identifier (IPv4)
encodes a network number and a host number

12. Network prefix and host number
The network prefix identifies a network
The host number identifies a specific host
How do we know how long the network prefix is?
The network prefix is indicated by a netmask
e.g → Network prefix is first 3 bytes, and last byte is host number
Notation: /24
Network prefix is 24 bits long
network prefix
host number

13. IP datagram format

14. 32 bit destination IP address
IP header fields
IP protocol version number
32 bits
total datagram
length (bytes)
header length (bytes)
head.
len
type of
service
ver
length
“type” of data
fragment
offset
16-bit identifier
for fragmentation / reassembly
flags
max number remaining hops
(decremented at each router)
time to
live
upper
layer
header
checksum
upper layer protocol
to deliver payload to
Checksum. Protect the header of IP data packets against data corruption
32 bit source IP address
32 bit destination IP address
Options (if any)
E.g. timestamp, record route taken, specify list of routers to visit.
Data
(typically a TCP
or UDP segment)

15. IP header Analysis with Wireshark
IP is in Network Layer
So IP packets are padded by lower layer protocols
First 12 Bytes are Ethernet header
Source and destination MAC address

16. IP header Analysis with Wireshark
IPv4 header fields
20bytes
0x45 =
0100 = 4 (Version: 4)
0101 = 5 (5 × 4B (1 word) = 20B)
0x00 =
Type of service
Nothing special

17. IP header Analysis with Wireshark
0x05dc = 1500
Total length
0xf146 = 61766
Identification
0x40 =
010: Bit vector
(Reserved bit)(Don’t fragment)(More fragment)
00000: fragment offset
0x2e = 46
Time To Live

18. IP header Analysis with Wireshark
0x06 = 6 (TCP)
Upper layer protocol is TCP
0xcdb9
Checksum
0x3a7860c5:
Source IP
0xa :
Destination IP

19. IP Checksum calculation
Divide IP header field into 2 bytes segment
Assume that checksum bytes are 0x0000
Add all byte segments
The sum is 0x in this case
Add the carries to lower 2 bytes of the sum
0x x3243 = 0x3246
Take 1’s complement
0x3246 = → = 0xcdb9
Profit!!!

20. Transport Layer Protocols
TCP – Transmission Control Protocol
Stream oriented
Reliable, connection-oriented
Complex
Only unicast
Used for most internet applications:
Web (http), (smtp), file transfer (ftp), terminal (telnet), etc.
UDP – User Datagram Protocol
Datagram oriented
Unreliable, connectionless
Simple
Unicast and multicast
Useful only for few applications e.g. Multimedia applications
Used a lot for services
Network management (SNMP), routing (RIP), naming (DNS), etc.

21. TCP Transmission Control Protocol
TCP is a connection-oriented protocol
It creates a virtual connection between two TCPs to send data
Uses flow and error control mechanism at the transport layer
Provides a reliable unicast end-to-end byte stream over an unreliable internetwork

22. TCP header format

23. TCP header fields Port Number:
A port number identifies the endpoint of a connection (process)
A pair <IP address, port number> identifies one endpoint of a connection

24. TCP header fields Sequence Number (Seq)
Sequence number is 32 bits long
So the range of sequence number is 0 ≤ seq ≤
Each sequence number identifies a byte in the byte stream
Initial Sequence Number (ISN) of a connection is set during connection establishment

25. TCP header fields Acknowledgement Number (Ack):
Acknowledgements are piggybacked, i.e.
A segment from A → B can contain an acknowledgement for a data sent in the B → A direction
A host uses the Ack field to send acknowledgements
If a host sends an Ack in a segment it sets the “ACK flag”
The Ack contains the next Seq that a hosts wants to receive
e.g. The acknowledgement for a segment with Seq is Ack=1501

26. TCP header fields - Flags

27. TCP header fields Window Size: TCP checksum: Urgent Pointer:
Each side of the connection advertises the window size
Window size is the maximum number of bytes that a receiver can accept
Maximum window size is 216 – 1 = bytes
TCP checksum:
TCP checksum covers over both TCP header and TCP data
Urgent Pointer:
Only valid if URG flag is set

28. TCP header analysis with Wireshark

29. TCP header analysis with Wireshark
0x0050 = 80
Source port
0x1f53 = 8019
Destination port

30. TCP header analysis with Wireshark
0xbe7c79b6
Sequence number
0xf4b7bd42
Ack number
0x5 = 5
Header length
5 × 4byte (1word) = 20bytes

31. TCP header analysis with Wireshark
0x010
Flags
Bit vector
Acknowledgment
0x0036
Window size
0x26fb
Checksum
0x0000
Urgent pointer

32. UDP User Datagram Protocol
Connectionless, unreliable transport protocol
UDP merely extends the host-to-host delivery serivce of IP datagram to an process-to-process service
The only thing that UDP adds is multiplexing and demultiplexing

33. UDP format

34. UDP header fields
Port numbers identify sending and receiving processes
Total length is at least 8 bytes (i.e., Data field can be empty) and at most 65,535
Checksum is for header of UDP and some of the IP header fields (Pseudoheader)

35. Checksum Calculation

36. Checksum Calculatioin

37. UDP header analysis with Wireshark
Ethernet header and IPv4 header is padded before UDP header
0xc93f
Source port: 51519
0x079b
Destination port: 1947
0x0030
Length: 48B (header + data)
0xdb48
Checksum

38. ICMP Internet Control Message Protocol
Type Code description
echo reply (ping)
dest. network unreachable
dest host unreachable
dest protocol unreachable
dest port unreachable
dest network unknown
dest host unknown
source quench (congestion
control - not used)
echo request (ping)
route advertisement
router discovery
TTL expired
bad IP header
Internet Control Message Protocol
Used by hosts & routers to communicate network-level information
Error reporting: Unreachable host, network, port, protocol
Echo request/reply (used by ping)
Network-layer above IP:
ICMP msgs carried in IP datagrams

39. ICMP Format 4 byte header Type (1byte): type of ICMP message
Code (1byte): subtype of ICMP message
Checksum (2bytes): similar to IP header checksum. Caculated over entire ICMP message
If there is no additional data, there are 4 bytes set to zero
Each ICMP messages is at least 8 bytes long

40. ICMP in TCP/IP
Special purpose message mechanism added to the TCP/IP protocols
ICMP is a network layer protocol, but its messages are first encapsulated into IP datagram

41. ICMP header analysis with Wireshark

42. ICMP header analysis with Wireshark
0x08
Type: 8
0x00
Code: 0
Echo (ping) request
0x4d53
Checksum 0x
Additional information
Identifier in this case
Wireshark shows it into two types
Big endian, Little endian
Rest bits are data