| ||
The following appendix will help you in your security-related endeavors. We chose to enclose this information because we use it consistently with nearly every engagement we work on. First, you will find the protocol headers, which are directly related to sniffers, discussed in Chapter 16. After the protocol headers, there is a standard ASCII chart that will not only help you in deciphering the contents of network traffic, but also aid you in converting the hexadecimal values found when using the generalized viewers in Chapter 25.
This portion of the appendix is provided as a reference for Chapter 16, which describes sniffers. Because the layout of packets on the network can be very cryptic, we felt this appendix would give you a head start when decoding nefarious packets on the Internet. References are given for each of the packet types listed in this appendix.
The type field makes the size of the data area dependent. The following table describes the fields following "type," depending on type's value:
Type | Field | Length (bytes) |
---|---|---|
0800 | IP Datagram | 461500 (variable) |
0806 | ARP Request/Reply | 28 |
PAD | 18 | |
8035 | RARP Request/Reply | 28 |
PAD | 18 |
The "type" and "code" of an ICMP packet will change the rest of the packet's characteristics. The next table provides a summary of the different types of ICMP packets you may encounter:
Type | Code | Description |
---|---|---|
|
| Echo reply |
3 | Destination unreachable | |
| Network unreachable | |
1 | Host unreachable | |
2 | Protocol unreachable | |
3 | Port unreachable | |
4 | Fragmentation needed but don't-fragment bit is set | |
5 | Source route failed | |
6 | Destination network unknown | |
7 | Destination host unknown | |
8 | Source host isolated (obsolete) | |
9 | Destination network admin prohibited | |
10 | Destination host admin prohibited | |
11 | Network unreachable for TOS | |
12 | Host unreachable for TOS | |
13 | Communication admin prohibited by filtering | |
14 | Host precedence violation | |
15 | Precedence cutoff in effect | |
4 |
| Source quench |
5 | Redirect | |
| Redirect for network | |
1 | Redirect for host | |
2 | Redirect for TOS and network | |
3 | Redirect for TOS and host | |
8 |
| Echo request |
9 |
| Router advertisement |
10 |
| Router solicitation |
11 | Time exceeded | |
| Time-To-Live equals | |
| during transit | |
1 | Time-To-Live equals | |
| during reassembly | |
12 | Parameter problem | |
| IP header bad | |
1 | Required option missing | |
13 |
| Timestamp request |
14 |
| Timestamp reply |
15 |
| Information request |
16 |
| Information reply |
17 |
| Address mask request |
18 |
| Address mask reply |
The next table summarizes the fields within the packet (after the checksum) designated by specific values of "type" and "code":
ICMP Type; Code | Field | Length (bits) |
---|---|---|
0 or 8;0 | Identifier | 16 |
Sequence Number | 16 | |
Data | Variable | |
3;0-15 | Unused (must be 0) | 32 |
IP Header + first 64 bits of original IP datagram data | Variable | |
4;0 | Unused | 32 |
IP Header + first 64 bits of original IP datagram data | Variable | |
5;0-3 | Gateway Internet Address | 32 |
IP Header + first 64 bits of original IP datagram data | Variable | |
11;0 or 1 | Unused | 32 |
IP Header + first 64 bits of original IP datagram data | Variable | |
12;0 | Pointer | 8 |
Unused | 24 | |
IP Header + first 64 bits of original IP datagram data | Variable | |
13 or 14;0 | Identifier | 16 |
Sequence Number | 16 | |
Originate Timestamp | 32 | |
Receive Timestamp | 32 | |
Transmit Timestamp | 32 | |
15 or 16;0 | Identifier | 16 |
Sequence Number | 16 | |
17 or 18;0 | Identifier | 16 |
Sequence Number | 16 | |
Subnet Mask | 32 |
| ||