pcap headers description
TRANSCRIPT
PCAP HEADERS DESCRIPTION
By : Shravan Kumar(a.k.a cor3sm4sh3r )
INDEXSerial No Topic Slide Number
1 What Is PCAP 32 PCAP File Format 43 Global Header Structure 54 Packet Structure 75 Some packet Headers 86 Ether Header Structure 117 ARP Header Structure 158 IPv4 Header Structure 209 UDP Header Structure 2610 ICMP Header Structure 3011 TCP Header Structure 35
WHAT IS PCAP
• PCAP stands for Packet capture • PCAP consist of all the captured network data on a particular interface• Many softwares uses WinPcap and libPcap libraries to capture the network
data and store it in pcap format• Examples Wireshark ,TCPDUMP, KISMET , ETHEREAL , and all other software
you may have encountered while dealing with network traffic analysis
PCAP FILE FORMAT
GLOBAL HEADER• These are the first 24 bytes of PCAP file
CONT …• These are the first 24 bytes of PCAP file
• 4 bytes Magic Number • 2 bytes Major Version Number • 2 bytes Minor Version Number • 8 bytes GMT timezone offset • 4 bytes Maximum snap length (65535) • 4 bytes Link-Layer Header Type
PACKET STRUCTURE
• A packet consist of two things• PACKET HEADER• PACKET DATA• First packet header starts immediately after the global header there are no
padding in between them
SOME PACKET HEADERS
• ARP packet headers
• ICMP packet headers
CONT …
• TCP packet headers
• HTTP packet headers
CONT …
• UDP packet header ( DNS query )
ETHER HEADER STRUCTURE• Its 14 bytes header
CONT …
• It’s the first header in packet headers• Below is the packet Dump
• The high lighted area is the ether header• 14 bytes can be broken into 3 fields
CONT …
• First 6 bytes Destination MAC address • Next 6 bytes Source MAC address • Next 2 bytes Type of packet (ARP , DOD (IPv4), IPv6 … etc )
•
CONT …
• Last 2 bytes decide the next type of header • For example if type is 0800 it’s a IPv4 ( DOD ) packet so IPv4 header is the
next header • If type is 0806 it’s a ARP packet so ARP header is the next header • ARP header is 28 bytes • IPv4 header is 20 bytes
ARP HEADER STRUCTURE• Its 28 bytes header
CONT …
CONT …
• Below is the packet dump ,highlighted area is the ARP header
CONT …
• ARP header can be broken into 9 fields• First 2 bytes hardware type • 2 bytes protocol type • 1 byte hardware size • 1 byte protocol size • 2 bytes opcode
CONT …
• 6 bytes source MAC address • 4 bytes source IP address • 6 bytes destination MAC address • 4 bytes destination IP address• Total ARP packet size is 64 bytes ( Ether header + Arp header + Padding )• Rest of the bytes are padding to compensate the size •
IPV4 HEADER STRUCTURE• It’s a 20 bytes header
CONT …
CONT …
CONT …
• First byte is constant 0x45 for ipv4 and 0x60 for IPv6 • Next byte is differentiated service field • 2 bytes for total length = total packet size – 14 (ether header ) • In the above example total packet size is 471• The total length is 457 ( 471 -14) bytes• This total length field is used to correctly identify how many bytes are there
in this packet.
CONT …
• Next 2 bytes Identification bytes • Next 1 bytes used to store flags• 1 byte Fragment Offset • 1 byte Time To Live ( TTL ) its 128 here • 1 byte for Protocol its very important byte , this byte is used to
determine the next type of header ( TCP , UDP , ICMP , or other ) • Next 2 bytes are Checksum
CONT …
• 4 bytes Source IP address • 4 bytes Destination IP address• As mentioned earlier the next header is decided using the protocol field
UDP HEADER STRUCTURE
• Its only 8 byte long
CONT …
CONT …
PCAP DUMP
CONT …
• Can be broken into 4 fields• 2 bytes source port • 2 bytes destination port • 2 bytes length field (size of UDP header + size of rest of the payload ) • The payload which is the packet data = length field value – 8 bytes • 2 bytes checksum
ICMP HEADER STRUCTURE
• Its also only 8 bytes header
CONT …
CONT …
• First 8 bytes of the high lighted area are ICMP header rest of the bytes are payload
CONT …
• 8 bytes header can be broken into five fields• First 1 bytes is for type of ICMP i.e. request ,reply ,destination unreachable …
etc • Next 1 byte for code • There are 45 type codes for ICMP • Next 2 bytes checksum • Next 2 bytes Identifier • Next 2 bytes sequence Number
CONT …
• Rest of the bytes are payload
TCP HEADER STRUCTURE
• Its 20 bytes long header
CONT …
CONT …
• PCAP DUMP
CONT ..
• First 2 bytes Source port • Next 2 bytes Destination port • 4 bytes Sequence Number • 4 bytes Acknowledgement Number • 2 bytes Flags • 2 bytes window size • 2 bytes checksum • 2 bytes urgent pointer
CONT …
• The bytes following TCP headers are the packet data or payload of the packet
THANK YOU