6.15 Packet Analysis

 <  Day Day Up  >  

In this section, we examine a sample packet as captured by a sniffer. It is important to understand how to edit packets at the byte level so that you can understand how fragmentation attacks work. Figure 6-6 shows the hex dump of a sample packet that we have captured.

Figure 6-6. Hex dump of a sample packet
figs/sw_0606.gif

We will focus on the first 54 bytes, which comprise the frame header (14 bytes), the IP header (20 bytes), and the protocol header (20 bytes), as seen here:

 00 10 67 00 B1 DA 00 50 BA 42 E7 70 08 00 45 00 01 66 F4 19 40 00 80 06 BA 77 D0 BE 2A 09 40         1D 10 1C 08 CB 00 50 20 14 12 6A 49 E6 C5 36 50 18 44 70 37 0B 00 00 

Scanning from left to right, we read the first 14 bytes; they comprise the frame header, which in this packet provides us with the source MAC address ( 00 10 67 00 B1 DA ) and the destination MAC address ( 00 50 BA 42 E7 70 ). The final 08 00 marks the beginning of the IP datagram.

The next 20 bytes comprise the IP header, as shown here:

 45 00 01 66 F4 19 40 00 80 06 BA 77 D0 BE 2A 09 40 1D 10 1C 

At the end of this header are the source IP address ( D0 BE 2A 09 ) and the destination IP address ( 40 1D 10 1C ).

Converting the destination IP address to decimal gives us the following:

 40 1D 10 1C = 62.29.16.28 

which is the IP address that resolves to the URL http://www.virusmd.com .

The final 20 bytes form the TCP header, shown here:

 08 CB 00 50 20 14 12 6A 49 E6 C5 36 50 18 44 70 37 0B 00 00 

This section contains the following information:

  • Source port

  • Destination port ( 00 50 = 80 = http:// port )

  • Sequence number

  • Acknowledgment number

  • Header length

  • TCP flags

These are the TCP flags:


URG

Indicates that the packet contains important data


ACK

Provides an acknowledgment of the last packet (all packets except the first have this set)


PSH

Sends immediately, even if the buffer isn't full


RST

Resets the connection (an error occurred)


SYN

Starts a connection


FIN

Closes a connection

 <  Day Day Up  >  


Security Warrior
Security Warrior
ISBN: 0596005458
EAN: 2147483647
Year: 2004
Pages: 211

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net