6.15 Packet Analysis

In this section, we examine a sample packet as captured by a sniffer. It is important to understand how to edit packets at the byte level so that you can understand how fragmentation attacks work. Figure 6-6 shows the hex dump of a sample packet that we have captured.

Figure 6-6. Hex dump of a sample packet

We will focus on the first 54 bytes, which comprise the frame header (14 bytes), the IP header (20 bytes), and the protocol header (20 bytes), as seen here:

 00 10 67 00 B1 DA 00 50 BA 42 E7 70 08 00 45 00 01 66 F4 19 40 00 80 06 BA 77 D0 BE 2A 09 40         1D 10 1C 08 CB 00 50 20 14 12 6A 49 E6 C5 36 50 18 44 70 37 0B 00 00 

Scanning from left to right, we read the first 14 bytes; they comprise the frame header, which in this packet provides us with the source MAC address ( 00 10 67 00 B1 DA ) and the destination MAC address ( 00 50 BA 42 E7 70 ). The final 08 00 marks the beginning of the IP datagram.

The next 20 bytes comprise the IP header, as shown here:

 45 00 01 66 F4 19 40 00 80 06 BA 77 D0 BE 2A 09 40 1D 10 1C 

At the end of this header are the source IP address ( D0 BE 2A 09 ) and the destination IP address ( 40 1D 10 1C ).

Converting the destination IP address to decimal gives us the following:

 40 1D 10 1C = 62.29.16.28 

which is the IP address that resolves to the URL http://www.virusmd.com .

The final 20 bytes form the TCP header, shown here:

 08 CB 00 50 20 14 12 6A 49 E6 C5 36 50 18 44 70 37 0B 00 00 

This section contains the following information:

• Source port

• Destination port ( 00 50 = 80 = http:// port )

• Sequence number

• Acknowledgment number

• Header length

• TCP flags

These are the TCP flags:

URG

Indicates that the packet contains important data

ACK

Provides an acknowledgment of the last packet (all packets except the first have this set)

PSH

Sends immediately, even if the buffer isn't full

RST

Resets the connection (an error occurred)

SYN

Starts a connection

FIN

Closes a connection